[freenet-dev] Why WoTs won't work....

[Thomas Sachau]

Evan Daniel schrieb:
> On Wed, May 27, 2009 at 1:29 PM, Thomas Sachau  wrote:
>>> A small number could still be rather large.  Having thousands see it
>>> ought to suffice.  For the current network, I see no reason not to
>>> have the (default) limits such that basically everyone sees it.
>> If your small number is that big, you should add that because for me, 
>> "small" is not around
>> "thousends". Additionally, if you allow them to reach thousends (will a 
>> freenet based message system
>> ever reach more people?), is there any value in restricting this anyway?
> 
> Currently, the total number of people using Freenet is small.
> Hopefully that will not always be the case.  Designing a new system
> that assumes it will always be the case seems like a rather bad idea
> to me.
> 
> In this context, I would say small means sublinear growth with the
> size of the entire network.  Having the new-identity spam reach
> thousands of recipients is far better than having it reach tens of
> thousands or millions.

Why not let the WoT solve the problem? In practise, not all of those will pull 
the spam at the same
time. So some will get it first, see it is spam and mark it as such. Later ones 
will then see the
spammer mark and not even fetch the message. On the other hand, if it is no 
spam, it will get fetched.

> 
>>> If the post is really that valuable, some people will mark the poster
>>> as trusted.  Then everyone will see it.
>> Why should they? People are lazy, so most, if not all will just read it, 
>> maybe answer it, but who
>> thinks about rating someone because of a single post? People are and will 
>> always be lazy.
> 
> If the post is only somewhat valuable, it might take a few posts.  If
> it's a provocative photo that escaped from an oppressive regime, I
> suspect it wouldn't.

A few? I do sometimes check some FMS trustlists. And those i did check did not 
set some trust value
for many people. Additionally remember that FMS is used by people who are 
willing to do something.
So i would expect much less from the default WoT inside freenet.
With your suggestion, someone will have to wait, until someone "uncensors" him. 
Imho, noone should
be censored by default, so it should be exactly the other way round.

> 
> Granting trust automatically on replies is an idea that has been
> discussed before.  It has a great deal of merit.  I'm in favor of it.
> I just don't think that should be the highest level of trust.

It may be an additional option, but this would only make those well-trusted, 
which do write many
posts, while others with less posts get less trust. Would be another place, 
where a spammer could do
something to make his attacks more powerfull.

> 
>>> You may think that everyone should be equal; I don't.  If newbies are
>>> posting stuff that isn't spam (be it one message or many), I'm willing
>>> to believe someone my web can reach will mark them trusted.  You
>>> obviously aren't; that's fine too.  Fortunately, there is no
>>> requirement we use the same capacity limiting functions -- that should
>>> be configurable for each user.  If you want to make the default
>>> function fairly permissive, that's fine.  I think you'd be making the
>>> wrong choice, but personally I wouldn't care that much because I'd
>>> just change it away from the default if new-identity spam was a
>>> problem.
>> So you want the default to be more censoring. And you trust people to not be 
>> lazy. I oppose both.
>> First, if you really want to implement such censorship, make the default 
>> open, with thousends of
>> trusted users, it wont be a difference anyway. Second, why should people 
>> mark new identities as
>> trusted? I use FMS and i dont change the trust of every identity i see 
>> there. And i do somehow
>> manage a trustlist there. If someone is lazy (and the majority is), they 
>> will do nothing.
> 
> If one of your design requirements is that new identities can post and
> be seen by everyone, you have made the spam problem unsolvable BY
> DEFINITION.  That is bad.

Wrong. The initial barrier is the proove to solve a problem. Which should be 
done with a problem
hard for computers and easy for humans. But this just prevents automated 
computerbased identity
creation.
But you should never start to mistrust any new identity and censor it by 
default and only allow him
to reach more people if he does post enough before. For example a person who 
just wants to post some
interesting content will probably not take that work, he will just post and 
leave. With your idea,
only a limited amount of people will see this and they can decide, if others 
will see it too. With
FMS, everyone can see it by default. So this information would reach more 
people. Isnt that the
basic idea of freenet? Make it possible to everyone to get the inserted 
information without the
possibility to censor it?

> 
> The whole point of Advogato or other web of trust systems is that you
> don't have to mark everyone you see as 

[freenet-dev] Why WoTs won't work....

[Thomas Sachau]

Evan Daniel schrieb:
> On Tue, May 26, 2009 at 4:45 PM, xor  wrote:
>> On Friday 22 May 2009 16:39:06 Evan Daniel wrote:
>>> On Fri, May 22, 2009 at 8:17 AM, Matthew Toseland
>>>
>>>  wrote:
 On Friday 22 May 2009 08:17:55 bbackde at googlemail.com wrote:
> Is'nt his point that the users just won't maintain the trust lists?
> I thought that is the problem that he meant how can Advogato help us
 here?

 Advogato with only positive trust introduces a different tradeoff, which
 is still a major PITA to maintain, but maybe less of one:
 - Spammers only disappear when YOU mark them as spammers, or ALL the
 people you trust do. Right now they disappear when the majority, from the
 point of view of your position on the WoT, mark them as spammers (more or
 less).
>>> When they *fail to mark them as trusted*.  It's an important
>>> distinction, as it means that in order for the spammer to do anything
>>> they first have to *manually* build trust.  If an identity suddenly
>>> starts spamming, only people that originally marked it as trusted have
>>> to change their trust lists in order to stop them.
>>>
 - If you mark a spammer as positive because he posts useful content on
 one board, and you don't read the boards he spams you are likely to get
 marked as a spammer yourself.
>>> Depends how militant people are.  I suspect in practice people won't
>>> do this unless you trust a lot of spammers... in which case they have
>>> a point.  (This is also a case for distinguishing message trust from
>>> trust list trust; while Advogato doesn't do this, the security proof
>>> extends to cover it without trouble.)  You can take an in-between
>>> step: if Alice marks both Bob and Carol as trusted, and Bob marks
>>> Carol a spammer, Alice's software notices and alerts Alice, and offers
>>> to show Alice recent messages from Carol from other boards.
>>> (Algorithmically, publishing "Sam is a spammer" is no different from
>>> not publishing anything about Sam, but it makes some nice things
>>> possible from a UI standpoint.)  This may well get most of the benefit
>>> of ultimatums with lower complexity.
>>>
 - If a spammer doesn't spam himself, but gains trust through posting
 useful content on various boards and then spends this trust by trusting
 spam identities, it will be necessary to give him zero message list
 trust. Again this has serious issues with collateral damage, depending on
 how trigger-happy people are and how much of a problem it is for newbies
 to see spam.

 Technologically, this requires:
 - Changing WoT to only support positive trust. This is more or less a one
 line change.
>>> If all you want is positive trust only, yes.  If you want the security
>>> proof, it requires using the network flow algorithm as specified in
>>> the paper, which is a bit more complex.  IMHO, fussing with the
>>> algorithm in ways that don't let you apply the security proof is just
>>> trading one set of alchemy for another -- it might help, but I don't
>>> think it would be wise.
>>>
 - Making sure that my local ratings always override those given by
 others, so I can mark an identity as spam and never see it again. Dunno
 if this is currently implemented.
 - Making CAPTCHA announcement provide some form of short-lived trust, so
 if the newly introduced identity doesn't get some trust it goes away.
 This may also be implemented.
>>> My proposal: there are two levels of trust (implementation starts
>>> exactly as per Advogato levels).  The lower level is CAPTCHA trust;
>>> the higher is manually set only.  (This extends to multiple manual
>>> levels without loss of generality.)  First, the algorithm is run
>>> normally on the manual trust level.  Then, the algorithm is re-run on
>>> the CAPTCHA trust level, with modification: identities that received
>>> no manual trust have severely limited capacity (perhaps as low as 1),
>>> and the general set of capacity vs distance from root is changed to
>>> not go as deep.
>>>
>>> The first part means that the spammer can't chain identities *at all*
>>> before getting the top one manually trusted.  The second means that
>>> identities that only solved a CAPTCHA will only be seen by a small
>>> number of people -- ie they can't spam everyone.  The exact numbers
>>> for flow vs depth would need some tuning for both trust levels,
>>> obviously.  You want enough people to see new identities that they
>>> will receive manual trust.
>> It is absolutely INACCEPTABLE for a discussion system to only display 
>> messages
>> of newbies to "some people" due to the nature of discussion:
>> - The *value* of a single post from a new identity which has posted a single
>> message can be ANYTHING... it can be absolute crap... but it can also be a
>> highly valuable secret document which reveals stuff which is interesting for
>> millions of people. In other words: The fact that someone is 

[freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Wed, May 27, 2009 at 3:11 PM, Thomas Sachau  wrote:
> Evan Daniel schrieb:
>> On Wed, May 27, 2009 at 1:29 PM, Thomas Sachau  
>> wrote:
 A small number could still be rather large. ?Having thousands see it
 ought to suffice. ?For the current network, I see no reason not to
 have the (default) limits such that basically everyone sees it.
>>> If your small number is that big, you should add that because for me, 
>>> "small" is not around
>>> "thousends". Additionally, if you allow them to reach thousends (will a 
>>> freenet based message system
>>> ever reach more people?), is there any value in restricting this anyway?
>>
>> Currently, the total number of people using Freenet is small.
>> Hopefully that will not always be the case. ?Designing a new system
>> that assumes it will always be the case seems like a rather bad idea
>> to me.
>>
>> In this context, I would say small means sublinear growth with the
>> size of the entire network. ?Having the new-identity spam reach
>> thousands of recipients is far better than having it reach tens of
>> thousands or millions.
>
> Why not let the WoT solve the problem? In practise, not all of those will 
> pull the spam at the same
> time. So some will get it first, see it is spam and mark it as such. Later 
> ones will then see the
> spammer mark and not even fetch the message. On the other hand, if it is no 
> spam, it will get fetched.

If WoT can solve it, fine.  If it can't, that's fine too.  Neither
case has any bearing on Advogato's abilities, merely the standard of
comparison.

>
>>
 If the post is really that valuable, some people will mark the poster
 as trusted. ?Then everyone will see it.
>>> Why should they? People are lazy, so most, if not all will just read it, 
>>> maybe answer it, but who
>>> thinks about rating someone because of a single post? People are and will 
>>> always be lazy.
>>
>> If the post is only somewhat valuable, it might take a few posts. ?If
>> it's a provocative photo that escaped from an oppressive regime, I
>> suspect it wouldn't.
>
> A few? I do sometimes check some FMS trustlists. And those i did check did 
> not set some trust value
> for many people. Additionally remember that FMS is used by people who are 
> willing to do something.
> So i would expect much less from the default WoT inside freenet.
> With your suggestion, someone will have to wait, until someone "uncensors" 
> him. Imho, noone should
> be censored by default, so it should be exactly the other way round.

See below on captchas.

>
>>
>> Granting trust automatically on replies is an idea that has been
>> discussed before. ?It has a great deal of merit. ?I'm in favor of it.
>> I just don't think that should be the highest level of trust.
>
> It may be an additional option, but this would only make those well-trusted, 
> which do write many
> posts, while others with less posts get less trust. Would be another place, 
> where a spammer could do
> something to make his attacks more powerfull.

It is my firm belief that if the system makes the spammer perform
manual work per identity they wish to spam with, the problem is
solved.  Do you have evidence or sound reasoning to the contrary?  All
systems I know of -- such as email and Frost -- have spam problems
because the spammer can automate all the steps.

>
>>
 You may think that everyone should be equal; I don't. ?If newbies are
 posting stuff that isn't spam (be it one message or many), I'm willing
 to believe someone my web can reach will mark them trusted. ?You
 obviously aren't; that's fine too. ?Fortunately, there is no
 requirement we use the same capacity limiting functions -- that should
 be configurable for each user. ?If you want to make the default
 function fairly permissive, that's fine. ?I think you'd be making the
 wrong choice, but personally I wouldn't care that much because I'd
 just change it away from the default if new-identity spam was a
 problem.
>>> So you want the default to be more censoring. And you trust people to not 
>>> be lazy. I oppose both.
>>> First, if you really want to implement such censorship, make the default 
>>> open, with thousends of
>>> trusted users, it wont be a difference anyway. Second, why should people 
>>> mark new identities as
>>> trusted? I use FMS and i dont change the trust of every identity i see 
>>> there. And i do somehow
>>> manage a trustlist there. If someone is lazy (and the majority is), they 
>>> will do nothing.
>>
>> If one of your design requirements is that new identities can post and
>> be seen by everyone, you have made the spam problem unsolvable BY
>> DEFINITION. ?That is bad.
>
> Wrong. The initial barrier is the proove to solve a problem. Which should be 
> done with a problem
> hard for computers and easy for humans. But this just prevents automated 
> computerbased identity
> creation.

Please cite evidence that such a problem exists in a form that is
user-friendly 

[freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Wed, May 27, 2009 at 1:29 PM, Thomas Sachau  wrote:
>> A small number could still be rather large. ?Having thousands see it
>> ought to suffice. ?For the current network, I see no reason not to
>> have the (default) limits such that basically everyone sees it.
>
> If your small number is that big, you should add that because for me, "small" 
> is not around
> "thousends". Additionally, if you allow them to reach thousends (will a 
> freenet based message system
> ever reach more people?), is there any value in restricting this anyway?

Currently, the total number of people using Freenet is small.
Hopefully that will not always be the case.  Designing a new system
that assumes it will always be the case seems like a rather bad idea
to me.

In this context, I would say small means sublinear growth with the
size of the entire network.  Having the new-identity spam reach
thousands of recipients is far better than having it reach tens of
thousands or millions.

>
>> If the post is really that valuable, some people will mark the poster
>> as trusted. ?Then everyone will see it.
>
> Why should they? People are lazy, so most, if not all will just read it, 
> maybe answer it, but who
> thinks about rating someone because of a single post? People are and will 
> always be lazy.

If the post is only somewhat valuable, it might take a few posts.  If
it's a provocative photo that escaped from an oppressive regime, I
suspect it wouldn't.

Granting trust automatically on replies is an idea that has been
discussed before.  It has a great deal of merit.  I'm in favor of it.
I just don't think that should be the highest level of trust.

>
>> You may think that everyone should be equal; I don't. ?If newbies are
>> posting stuff that isn't spam (be it one message or many), I'm willing
>> to believe someone my web can reach will mark them trusted. ?You
>> obviously aren't; that's fine too. ?Fortunately, there is no
>> requirement we use the same capacity limiting functions -- that should
>> be configurable for each user. ?If you want to make the default
>> function fairly permissive, that's fine. ?I think you'd be making the
>> wrong choice, but personally I wouldn't care that much because I'd
>> just change it away from the default if new-identity spam was a
>> problem.
>
> So you want the default to be more censoring. And you trust people to not be 
> lazy. I oppose both.
> First, if you really want to implement such censorship, make the default 
> open, with thousends of
> trusted users, it wont be a difference anyway. Second, why should people mark 
> new identities as
> trusted? I use FMS and i dont change the trust of every identity i see there. 
> And i do somehow
> manage a trustlist there. If someone is lazy (and the majority is), they will 
> do nothing.

If one of your design requirements is that new identities can post and
be seen by everyone, you have made the spam problem unsolvable BY
DEFINITION.  That is bad.

The whole point of Advogato or other web of trust systems is that you
don't have to mark everyone you see as trusted, only some of them.  As
long as a reasonable number of people do the same thing, so that the
whole graph is well connected, that will suffice.

>
>> Also, you seem to be mistaken about what I mean by limiting CAPTCHA
>> identity capacity. ?Limiting it to 1 means it's nonzero. ?That means
>> the identity can receive trust and be accepted, so the message will be
>> read. ?All it means is that they can't grant trust to anyone else. ?It
>> says nothing about their own ability to post messages. ?The wouldn't
>> need to solve lots of CAPTCHAs any more than they would under eg FMS.
>> A few should suffice, for redundancy vs collisions and the poster
>> having gone offline.
>
> ???
>
> Who told you that someone would have to solve many captchas and that forever? 
> You only need to solve
> 1 captcha that is not already solved and which is from a trusted person which 
> publishes its trustlist.
> And i dont think he is mistaken. You still require people to mark identities 
> as trusted to get them
> visible and have them stay visible to others. This wont happen, so people 
> will loose their
> Captcha-Trust and will have to solve more captchas. Annoying for everyone, 
> and most annoying for the
> lazy majority.

The captcha problem is exactly the same as with FMS or WoT.  You could
implement it exactly as either of those does with Advogato.  How many
and how often a new user must solve captchas is only peripherally
related to which algorithm you run on the trust graph.  IIRC, trust in
FMS does not propagate very far at all, which means for more than a
few people to see you you need to be on many trust lists.  That means
solving many captchas or getting lots of manual ratings.  Advogato or
WoT (AIUI, anyway) both improve on this.

I am proposing an improved solution.  Currently, in FMS or WoT, Sam
can solve a captcha Alice published.  Since he then has trust from
Alice, he can mark a large 

Re: [freenet-dev] Why WoTs won't work....

[Thomas Sachau]

Evan Daniel schrieb:
 On Tue, May 26, 2009 at 4:45 PM, xor x...@gmx.li wrote:
 On Friday 22 May 2009 16:39:06 Evan Daniel wrote:
 On Fri, May 22, 2009 at 8:17 AM, Matthew Toseland

 t...@amphibian.dyndns.org wrote:
 On Friday 22 May 2009 08:17:55 bbac...@googlemail.com wrote:
 Is'nt his point that the users just won't maintain the trust lists?
 I thought that is the problem that he meant how can Advogato help us
 here?

 Advogato with only positive trust introduces a different tradeoff, which
 is still a major PITA to maintain, but maybe less of one:
 - Spammers only disappear when YOU mark them as spammers, or ALL the
 people you trust do. Right now they disappear when the majority, from the
 point of view of your position on the WoT, mark them as spammers (more or
 less).
 When they *fail to mark them as trusted*.  It's an important
 distinction, as it means that in order for the spammer to do anything
 they first have to *manually* build trust.  If an identity suddenly
 starts spamming, only people that originally marked it as trusted have
 to change their trust lists in order to stop them.

 - If you mark a spammer as positive because he posts useful content on
 one board, and you don't read the boards he spams you are likely to get
 marked as a spammer yourself.
 Depends how militant people are.  I suspect in practice people won't
 do this unless you trust a lot of spammers... in which case they have
 a point.  (This is also a case for distinguishing message trust from
 trust list trust; while Advogato doesn't do this, the security proof
 extends to cover it without trouble.)  You can take an in-between
 step: if Alice marks both Bob and Carol as trusted, and Bob marks
 Carol a spammer, Alice's software notices and alerts Alice, and offers
 to show Alice recent messages from Carol from other boards.
 (Algorithmically, publishing Sam is a spammer is no different from
 not publishing anything about Sam, but it makes some nice things
 possible from a UI standpoint.)  This may well get most of the benefit
 of ultimatums with lower complexity.

 - If a spammer doesn't spam himself, but gains trust through posting
 useful content on various boards and then spends this trust by trusting
 spam identities, it will be necessary to give him zero message list
 trust. Again this has serious issues with collateral damage, depending on
 how trigger-happy people are and how much of a problem it is for newbies
 to see spam.

 Technologically, this requires:
 - Changing WoT to only support positive trust. This is more or less a one
 line change.
 If all you want is positive trust only, yes.  If you want the security
 proof, it requires using the network flow algorithm as specified in
 the paper, which is a bit more complex.  IMHO, fussing with the
 algorithm in ways that don't let you apply the security proof is just
 trading one set of alchemy for another -- it might help, but I don't
 think it would be wise.

 - Making sure that my local ratings always override those given by
 others, so I can mark an identity as spam and never see it again. Dunno
 if this is currently implemented.
 - Making CAPTCHA announcement provide some form of short-lived trust, so
 if the newly introduced identity doesn't get some trust it goes away.
 This may also be implemented.
 My proposal: there are two levels of trust (implementation starts
 exactly as per Advogato levels).  The lower level is CAPTCHA trust;
 the higher is manually set only.  (This extends to multiple manual
 levels without loss of generality.)  First, the algorithm is run
 normally on the manual trust level.  Then, the algorithm is re-run on
 the CAPTCHA trust level, with modification: identities that received
 no manual trust have severely limited capacity (perhaps as low as 1),
 and the general set of capacity vs distance from root is changed to
 not go as deep.

 The first part means that the spammer can't chain identities *at all*
 before getting the top one manually trusted.  The second means that
 identities that only solved a CAPTCHA will only be seen by a small
 number of people -- ie they can't spam everyone.  The exact numbers
 for flow vs depth would need some tuning for both trust levels,
 obviously.  You want enough people to see new identities that they
 will receive manual trust.
 It is absolutely INACCEPTABLE for a discussion system to only display 
 messages
 of newbies to some people due to the nature of discussion:
 - The *value* of a single post from a new identity which has posted a single
 message can be ANYTHING... it can be absolute crap... but it can also be a
 highly valuable secret document which reveals stuff which is interesting for
 millions of people. In other words: The fact that someone is a newbie does 
 not
 say ANYTHING about the worth of his posts. In more other words: NO individual
 has the right to increase the worth of his posts - as in the amount of
 people reading them - by speaking very much on Freetalk and gaining lots of

Re: [freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Wed, May 27, 2009 at 1:29 PM, Thomas Sachau m...@tommyserver.de wrote:
 A small number could still be rather large.  Having thousands see it
 ought to suffice.  For the current network, I see no reason not to
 have the (default) limits such that basically everyone sees it.

 If your small number is that big, you should add that because for me, small 
 is not around
 thousends. Additionally, if you allow them to reach thousends (will a 
 freenet based message system
 ever reach more people?), is there any value in restricting this anyway?

Currently, the total number of people using Freenet is small.
Hopefully that will not always be the case.  Designing a new system
that assumes it will always be the case seems like a rather bad idea
to me.

In this context, I would say small means sublinear growth with the
size of the entire network.  Having the new-identity spam reach
thousands of recipients is far better than having it reach tens of
thousands or millions.


 If the post is really that valuable, some people will mark the poster
 as trusted.  Then everyone will see it.

 Why should they? People are lazy, so most, if not all will just read it, 
 maybe answer it, but who
 thinks about rating someone because of a single post? People are and will 
 always be lazy.

If the post is only somewhat valuable, it might take a few posts.  If
it's a provocative photo that escaped from an oppressive regime, I
suspect it wouldn't.

Granting trust automatically on replies is an idea that has been
discussed before.  It has a great deal of merit.  I'm in favor of it.
I just don't think that should be the highest level of trust.


 You may think that everyone should be equal; I don't.  If newbies are
 posting stuff that isn't spam (be it one message or many), I'm willing
 to believe someone my web can reach will mark them trusted.  You
 obviously aren't; that's fine too.  Fortunately, there is no
 requirement we use the same capacity limiting functions -- that should
 be configurable for each user.  If you want to make the default
 function fairly permissive, that's fine.  I think you'd be making the
 wrong choice, but personally I wouldn't care that much because I'd
 just change it away from the default if new-identity spam was a
 problem.

 So you want the default to be more censoring. And you trust people to not be 
 lazy. I oppose both.
 First, if you really want to implement such censorship, make the default 
 open, with thousends of
 trusted users, it wont be a difference anyway. Second, why should people mark 
 new identities as
 trusted? I use FMS and i dont change the trust of every identity i see there. 
 And i do somehow
 manage a trustlist there. If someone is lazy (and the majority is), they will 
 do nothing.

If one of your design requirements is that new identities can post and
be seen by everyone, you have made the spam problem unsolvable BY
DEFINITION.  That is bad.

The whole point of Advogato or other web of trust systems is that you
don't have to mark everyone you see as trusted, only some of them.  As
long as a reasonable number of people do the same thing, so that the
whole graph is well connected, that will suffice.


 Also, you seem to be mistaken about what I mean by limiting CAPTCHA
 identity capacity.  Limiting it to 1 means it's nonzero.  That means
 the identity can receive trust and be accepted, so the message will be
 read.  All it means is that they can't grant trust to anyone else.  It
 says nothing about their own ability to post messages.  The wouldn't
 need to solve lots of CAPTCHAs any more than they would under eg FMS.
 A few should suffice, for redundancy vs collisions and the poster
 having gone offline.

 ???

 Who told you that someone would have to solve many captchas and that forever? 
 You only need to solve
 1 captcha that is not already solved and which is from a trusted person which 
 publishes its trustlist.
 And i dont think he is mistaken. You still require people to mark identities 
 as trusted to get them
 visible and have them stay visible to others. This wont happen, so people 
 will loose their
 Captcha-Trust and will have to solve more captchas. Annoying for everyone, 
 and most annoying for the
 lazy majority.

The captcha problem is exactly the same as with FMS or WoT.  You could
implement it exactly as either of those does with Advogato.  How many
and how often a new user must solve captchas is only peripherally
related to which algorithm you run on the trust graph.  IIRC, trust in
FMS does not propagate very far at all, which means for more than a
few people to see you you need to be on many trust lists.  That means
solving many captchas or getting lots of manual ratings.  Advogato or
WoT (AIUI, anyway) both improve on this.

I am proposing an improved solution.  Currently, in FMS or WoT, Sam
can solve a captcha Alice published.  Since he then has trust from
Alice, he can mark a large number of fake identities as trusted.  With
my proposal, where 

Re: [freenet-dev] Why WoTs won't work....

[Thomas Sachau]

Evan Daniel schrieb:
 On Wed, May 27, 2009 at 1:29 PM, Thomas Sachau m...@tommyserver.de wrote:
 A small number could still be rather large.  Having thousands see it
 ought to suffice.  For the current network, I see no reason not to
 have the (default) limits such that basically everyone sees it.
 If your small number is that big, you should add that because for me, 
 small is not around
 thousends. Additionally, if you allow them to reach thousends (will a 
 freenet based message system
 ever reach more people?), is there any value in restricting this anyway?
 
 Currently, the total number of people using Freenet is small.
 Hopefully that will not always be the case.  Designing a new system
 that assumes it will always be the case seems like a rather bad idea
 to me.
 
 In this context, I would say small means sublinear growth with the
 size of the entire network.  Having the new-identity spam reach
 thousands of recipients is far better than having it reach tens of
 thousands or millions.

Why not let the WoT solve the problem? In practise, not all of those will pull 
the spam at the same
time. So some will get it first, see it is spam and mark it as such. Later ones 
will then see the
spammer mark and not even fetch the message. On the other hand, if it is no 
spam, it will get fetched.

 
 If the post is really that valuable, some people will mark the poster
 as trusted.  Then everyone will see it.
 Why should they? People are lazy, so most, if not all will just read it, 
 maybe answer it, but who
 thinks about rating someone because of a single post? People are and will 
 always be lazy.
 
 If the post is only somewhat valuable, it might take a few posts.  If
 it's a provocative photo that escaped from an oppressive regime, I
 suspect it wouldn't.

A few? I do sometimes check some FMS trustlists. And those i did check did not 
set some trust value
for many people. Additionally remember that FMS is used by people who are 
willing to do something.
So i would expect much less from the default WoT inside freenet.
With your suggestion, someone will have to wait, until someone uncensors him. 
Imho, noone should
be censored by default, so it should be exactly the other way round.

 
 Granting trust automatically on replies is an idea that has been
 discussed before.  It has a great deal of merit.  I'm in favor of it.
 I just don't think that should be the highest level of trust.

It may be an additional option, but this would only make those well-trusted, 
which do write many
posts, while others with less posts get less trust. Would be another place, 
where a spammer could do
something to make his attacks more powerfull.

 
 You may think that everyone should be equal; I don't.  If newbies are
 posting stuff that isn't spam (be it one message or many), I'm willing
 to believe someone my web can reach will mark them trusted.  You
 obviously aren't; that's fine too.  Fortunately, there is no
 requirement we use the same capacity limiting functions -- that should
 be configurable for each user.  If you want to make the default
 function fairly permissive, that's fine.  I think you'd be making the
 wrong choice, but personally I wouldn't care that much because I'd
 just change it away from the default if new-identity spam was a
 problem.
 So you want the default to be more censoring. And you trust people to not be 
 lazy. I oppose both.
 First, if you really want to implement such censorship, make the default 
 open, with thousends of
 trusted users, it wont be a difference anyway. Second, why should people 
 mark new identities as
 trusted? I use FMS and i dont change the trust of every identity i see 
 there. And i do somehow
 manage a trustlist there. If someone is lazy (and the majority is), they 
 will do nothing.
 
 If one of your design requirements is that new identities can post and
 be seen by everyone, you have made the spam problem unsolvable BY
 DEFINITION.  That is bad.

Wrong. The initial barrier is the proove to solve a problem. Which should be 
done with a problem
hard for computers and easy for humans. But this just prevents automated 
computerbased identity
creation.
But you should never start to mistrust any new identity and censor it by 
default and only allow him
to reach more people if he does post enough before. For example a person who 
just wants to post some
interesting content will probably not take that work, he will just post and 
leave. With your idea,
only a limited amount of people will see this and they can decide, if others 
will see it too. With
FMS, everyone can see it by default. So this information would reach more 
people. Isnt that the
basic idea of freenet? Make it possible to everyone to get the inserted 
information without the
possibility to censor it?

 
 The whole point of Advogato or other web of trust systems is that you
 don't have to mark everyone you see as trusted, only some of them.  As
 long as a reasonable number of people do the same thing, so that the
 

Re: [freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Wed, May 27, 2009 at 3:11 PM, Thomas Sachau m...@tommyserver.de wrote:
 Evan Daniel schrieb:
 On Wed, May 27, 2009 at 1:29 PM, Thomas Sachau m...@tommyserver.de wrote:
 A small number could still be rather large.  Having thousands see it
 ought to suffice.  For the current network, I see no reason not to
 have the (default) limits such that basically everyone sees it.
 If your small number is that big, you should add that because for me, 
 small is not around
 thousends. Additionally, if you allow them to reach thousends (will a 
 freenet based message system
 ever reach more people?), is there any value in restricting this anyway?

 Currently, the total number of people using Freenet is small.
 Hopefully that will not always be the case.  Designing a new system
 that assumes it will always be the case seems like a rather bad idea
 to me.

 In this context, I would say small means sublinear growth with the
 size of the entire network.  Having the new-identity spam reach
 thousands of recipients is far better than having it reach tens of
 thousands or millions.

 Why not let the WoT solve the problem? In practise, not all of those will 
 pull the spam at the same
 time. So some will get it first, see it is spam and mark it as such. Later 
 ones will then see the
 spammer mark and not even fetch the message. On the other hand, if it is no 
 spam, it will get fetched.

If WoT can solve it, fine.  If it can't, that's fine too.  Neither
case has any bearing on Advogato's abilities, merely the standard of
comparison.



 If the post is really that valuable, some people will mark the poster
 as trusted.  Then everyone will see it.
 Why should they? People are lazy, so most, if not all will just read it, 
 maybe answer it, but who
 thinks about rating someone because of a single post? People are and will 
 always be lazy.

 If the post is only somewhat valuable, it might take a few posts.  If
 it's a provocative photo that escaped from an oppressive regime, I
 suspect it wouldn't.

 A few? I do sometimes check some FMS trustlists. And those i did check did 
 not set some trust value
 for many people. Additionally remember that FMS is used by people who are 
 willing to do something.
 So i would expect much less from the default WoT inside freenet.
 With your suggestion, someone will have to wait, until someone uncensors 
 him. Imho, noone should
 be censored by default, so it should be exactly the other way round.

See below on captchas.



 Granting trust automatically on replies is an idea that has been
 discussed before.  It has a great deal of merit.  I'm in favor of it.
 I just don't think that should be the highest level of trust.

 It may be an additional option, but this would only make those well-trusted, 
 which do write many
 posts, while others with less posts get less trust. Would be another place, 
 where a spammer could do
 something to make his attacks more powerfull.

It is my firm belief that if the system makes the spammer perform
manual work per identity they wish to spam with, the problem is
solved.  Do you have evidence or sound reasoning to the contrary?  All
systems I know of -- such as email and Frost -- have spam problems
because the spammer can automate all the steps.



 You may think that everyone should be equal; I don't.  If newbies are
 posting stuff that isn't spam (be it one message or many), I'm willing
 to believe someone my web can reach will mark them trusted.  You
 obviously aren't; that's fine too.  Fortunately, there is no
 requirement we use the same capacity limiting functions -- that should
 be configurable for each user.  If you want to make the default
 function fairly permissive, that's fine.  I think you'd be making the
 wrong choice, but personally I wouldn't care that much because I'd
 just change it away from the default if new-identity spam was a
 problem.
 So you want the default to be more censoring. And you trust people to not 
 be lazy. I oppose both.
 First, if you really want to implement such censorship, make the default 
 open, with thousends of
 trusted users, it wont be a difference anyway. Second, why should people 
 mark new identities as
 trusted? I use FMS and i dont change the trust of every identity i see 
 there. And i do somehow
 manage a trustlist there. If someone is lazy (and the majority is), they 
 will do nothing.

 If one of your design requirements is that new identities can post and
 be seen by everyone, you have made the spam problem unsolvable BY
 DEFINITION.  That is bad.

 Wrong. The initial barrier is the proove to solve a problem. Which should be 
 done with a problem
 hard for computers and easy for humans. But this just prevents automated 
 computerbased identity
 creation.

Please cite evidence that such a problem exists in a form that is
user-friendly enough we can use it.  Unless I am greatly mistaken,
Freenet's goal as a project is not to solve the captcha problem when
no one else has.  Taking on oppressive governments 

[freenet-dev] Why WoTs won't work....

[xor]

On Friday 22 May 2009 16:39:06 Evan Daniel wrote:
> On Fri, May 22, 2009 at 8:17 AM, Matthew Toseland
>
>  wrote:
> > On Friday 22 May 2009 08:17:55 bbackde at googlemail.com wrote:
> >> Is'nt his point that the users just won't maintain the trust lists?
> >> I thought that is the problem that he meant how can Advogato help us
> >
> > here?
> >
> > Advogato with only positive trust introduces a different tradeoff, which
> > is still a major PITA to maintain, but maybe less of one:
> > - Spammers only disappear when YOU mark them as spammers, or ALL the
> > people you trust do. Right now they disappear when the majority, from the
> > point of view of your position on the WoT, mark them as spammers (more or
> > less).
>
> When they *fail to mark them as trusted*.  It's an important
> distinction, as it means that in order for the spammer to do anything
> they first have to *manually* build trust.  If an identity suddenly
> starts spamming, only people that originally marked it as trusted have
> to change their trust lists in order to stop them.
>
> > - If you mark a spammer as positive because he posts useful content on
> > one board, and you don't read the boards he spams you are likely to get
> > marked as a spammer yourself.
>
> Depends how militant people are.  I suspect in practice people won't
> do this unless you trust a lot of spammers... in which case they have
> a point.  (This is also a case for distinguishing message trust from
> trust list trust; while Advogato doesn't do this, the security proof
> extends to cover it without trouble.)  You can take an in-between
> step: if Alice marks both Bob and Carol as trusted, and Bob marks
> Carol a spammer, Alice's software notices and alerts Alice, and offers
> to show Alice recent messages from Carol from other boards.
> (Algorithmically, publishing "Sam is a spammer" is no different from
> not publishing anything about Sam, but it makes some nice things
> possible from a UI standpoint.)  This may well get most of the benefit
> of ultimatums with lower complexity.
>
> > - If a spammer doesn't spam himself, but gains trust through posting
> > useful content on various boards and then spends this trust by trusting
> > spam identities, it will be necessary to give him zero message list
> > trust. Again this has serious issues with collateral damage, depending on
> > how trigger-happy people are and how much of a problem it is for newbies
> > to see spam.
> >
> > Technologically, this requires:
> > - Changing WoT to only support positive trust. This is more or less a one
> > line change.
>
> If all you want is positive trust only, yes.  If you want the security
> proof, it requires using the network flow algorithm as specified in
> the paper, which is a bit more complex.  IMHO, fussing with the
> algorithm in ways that don't let you apply the security proof is just
> trading one set of alchemy for another -- it might help, but I don't
> think it would be wise.
>
> > - Making sure that my local ratings always override those given by
> > others, so I can mark an identity as spam and never see it again. Dunno
> > if this is currently implemented.
> > - Making CAPTCHA announcement provide some form of short-lived trust, so
> > if the newly introduced identity doesn't get some trust it goes away.
> > This may also be implemented.
>
> My proposal: there are two levels of trust (implementation starts
> exactly as per Advogato levels).  The lower level is CAPTCHA trust;
> the higher is manually set only.  (This extends to multiple manual
> levels without loss of generality.)  First, the algorithm is run
> normally on the manual trust level.  Then, the algorithm is re-run on
> the CAPTCHA trust level, with modification: identities that received
> no manual trust have severely limited capacity (perhaps as low as 1),
> and the general set of capacity vs distance from root is changed to
> not go as deep.
>
> The first part means that the spammer can't chain identities *at all*
> before getting the top one manually trusted.  The second means that
> identities that only solved a CAPTCHA will only be seen by a small
> number of people -- ie they can't spam everyone.  The exact numbers
> for flow vs depth would need some tuning for both trust levels,
> obviously.  You want enough people to see new identities that they
> will receive manual trust.

It is absolutely INACCEPTABLE for a discussion system to only display messages 
of newbies to "some people" due to the nature of discussion:
- The *value* of a single post from a new identity which has posted a single 
message can be ANYTHING... it can be absolute crap... but it can also be a 
highly valuable secret document which reveals stuff which is interesting for 
millions of people. In other words: The fact that someone is a newbie does not 
say ANYTHING about the worth of his posts. In more other words: NO individual 
has the right to increase the "worth" of his posts - as in the amount of 
people reading them - by 

[freenet-dev] Why WoTs won't work....

[xor]

On Saturday 23 May 2009 21:11:59 Evan Daniel wrote:
> On Sat, May 23, 2009 at 10:06 AM, Matthew Toseland
>
>  wrote:
> > On Saturday 23 May 2009 10:43:09 Arne Babenhauserheide wrote:
> >> On Friday, 22. May 2009 23:10:42 Mike Bush wrote:
> >> > I have been watching this debate an I was wondering whether it could
> >> > help to have 2 sets of trust values for each identity in a trust list,
> >> > this could mean you could mark an identity as spamming or that I don't
> >> > want to see these posts again as i find them objectionable.
> >>
> >> This is what Credence did in the end for spam detection on Gnutella, so
> >> it might fit the human psyche :)
> >>
> >> People got the option to say "that's bad quality or misleading", "I
> >> don't like it" or "that's spam".
> >>
> >> For messages that could be
> >>
> >> * "that ID posts spam"
> >> * "that ID posts crap"
> >>
> >> The first can easily be reviewed, the second is subjective. That would
> >> give a soft group censorship option, but give the useful spam detection
> >> to everyone.
> >>
> >> Best wishes,
> >> Arne
> >>
> >> PS: Yes, I mostly just tried to clarify Mikes post for me. I hope the
> >> mail's useful to you nontheless.
> >
> > People will game the system, no? If they think paedophiles are scum who
> > should not be allowed to speak, and they realise that clicking "This is
> > spam" is more effective than "This is crap", they will click the former,
> > no?
>
> I would assume that's the normal case.  OTOH, there isn't much harm in
> implementing it, and if some people use it, that would help
> somewhat...  Perhaps implement, but not required for initial release?

Multiple trust lists are in fact planned, and in fact not planned for the next 
release: https://bugs.freenetproject.org/view.php?id=3067

-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: 

[freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Tue, May 26, 2009 at 4:45 PM, xor  wrote:
> On Friday 22 May 2009 16:39:06 Evan Daniel wrote:
>> On Fri, May 22, 2009 at 8:17 AM, Matthew Toseland
>>
>>  wrote:
>> > On Friday 22 May 2009 08:17:55 bbackde at googlemail.com wrote:
>> >> Is'nt his point that the users just won't maintain the trust lists?
>> >> I thought that is the problem that he meant how can Advogato help us
>> >
>> > here?
>> >
>> > Advogato with only positive trust introduces a different tradeoff, which
>> > is still a major PITA to maintain, but maybe less of one:
>> > - Spammers only disappear when YOU mark them as spammers, or ALL the
>> > people you trust do. Right now they disappear when the majority, from the
>> > point of view of your position on the WoT, mark them as spammers (more or
>> > less).
>>
>> When they *fail to mark them as trusted*. ?It's an important
>> distinction, as it means that in order for the spammer to do anything
>> they first have to *manually* build trust. ?If an identity suddenly
>> starts spamming, only people that originally marked it as trusted have
>> to change their trust lists in order to stop them.
>>
>> > - If you mark a spammer as positive because he posts useful content on
>> > one board, and you don't read the boards he spams you are likely to get
>> > marked as a spammer yourself.
>>
>> Depends how militant people are. ?I suspect in practice people won't
>> do this unless you trust a lot of spammers... in which case they have
>> a point. ?(This is also a case for distinguishing message trust from
>> trust list trust; while Advogato doesn't do this, the security proof
>> extends to cover it without trouble.) ?You can take an in-between
>> step: if Alice marks both Bob and Carol as trusted, and Bob marks
>> Carol a spammer, Alice's software notices and alerts Alice, and offers
>> to show Alice recent messages from Carol from other boards.
>> (Algorithmically, publishing "Sam is a spammer" is no different from
>> not publishing anything about Sam, but it makes some nice things
>> possible from a UI standpoint.) ?This may well get most of the benefit
>> of ultimatums with lower complexity.
>>
>> > - If a spammer doesn't spam himself, but gains trust through posting
>> > useful content on various boards and then spends this trust by trusting
>> > spam identities, it will be necessary to give him zero message list
>> > trust. Again this has serious issues with collateral damage, depending on
>> > how trigger-happy people are and how much of a problem it is for newbies
>> > to see spam.
>> >
>> > Technologically, this requires:
>> > - Changing WoT to only support positive trust. This is more or less a one
>> > line change.
>>
>> If all you want is positive trust only, yes. ?If you want the security
>> proof, it requires using the network flow algorithm as specified in
>> the paper, which is a bit more complex. ?IMHO, fussing with the
>> algorithm in ways that don't let you apply the security proof is just
>> trading one set of alchemy for another -- it might help, but I don't
>> think it would be wise.
>>
>> > - Making sure that my local ratings always override those given by
>> > others, so I can mark an identity as spam and never see it again. Dunno
>> > if this is currently implemented.
>> > - Making CAPTCHA announcement provide some form of short-lived trust, so
>> > if the newly introduced identity doesn't get some trust it goes away.
>> > This may also be implemented.
>>
>> My proposal: there are two levels of trust (implementation starts
>> exactly as per Advogato levels). ?The lower level is CAPTCHA trust;
>> the higher is manually set only. ?(This extends to multiple manual
>> levels without loss of generality.) ?First, the algorithm is run
>> normally on the manual trust level. ?Then, the algorithm is re-run on
>> the CAPTCHA trust level, with modification: identities that received
>> no manual trust have severely limited capacity (perhaps as low as 1),
>> and the general set of capacity vs distance from root is changed to
>> not go as deep.
>>
>> The first part means that the spammer can't chain identities *at all*
>> before getting the top one manually trusted. ?The second means that
>> identities that only solved a CAPTCHA will only be seen by a small
>> number of people -- ie they can't spam everyone. ?The exact numbers
>> for flow vs depth would need some tuning for both trust levels,
>> obviously. ?You want enough people to see new identities that they
>> will receive manual trust.
>
> It is absolutely INACCEPTABLE for a discussion system to only display messages
> of newbies to "some people" due to the nature of discussion:
> - The *value* of a single post from a new identity which has posted a single
> message can be ANYTHING... it can be absolute crap... but it can also be a
> highly valuable secret document which reveals stuff which is interesting for
> millions of people. In other words: The fact that someone is a newbie does not
> say ANYTHING about the worth of his 

Re: [freenet-dev] Why WoTs won't work....

[xor]

On Saturday 23 May 2009 21:11:59 Evan Daniel wrote:
 On Sat, May 23, 2009 at 10:06 AM, Matthew Toseland

 t...@amphibian.dyndns.org wrote:
  On Saturday 23 May 2009 10:43:09 Arne Babenhauserheide wrote:
  On Friday, 22. May 2009 23:10:42 Mike Bush wrote:
   I have been watching this debate an I was wondering whether it could
   help to have 2 sets of trust values for each identity in a trust list,
   this could mean you could mark an identity as spamming or that I don't
   want to see these posts again as i find them objectionable.
 
  This is what Credence did in the end for spam detection on Gnutella, so
  it might fit the human psyche :)
 
  People got the option to say that's bad quality or misleading, I
  don't like it or that's spam.
 
  For messages that could be
 
  * that ID posts spam
  * that ID posts crap
 
  The first can easily be reviewed, the second is subjective. That would
  give a soft group censorship option, but give the useful spam detection
  to everyone.
 
  Best wishes,
  Arne
 
  PS: Yes, I mostly just tried to clarify Mikes post for me. I hope the
  mail's useful to you nontheless.
 
  People will game the system, no? If they think paedophiles are scum who
  should not be allowed to speak, and they realise that clicking This is
  spam is more effective than This is crap, they will click the former,
  no?

 I would assume that's the normal case.  OTOH, there isn't much harm in
 implementing it, and if some people use it, that would help
 somewhat...  Perhaps implement, but not required for initial release?

Multiple trust lists are in fact planned, and in fact not planned for the next 
release: https://bugs.freenetproject.org/view.php?id=3067



signature.asc
Description: This is a digitally signed message part.
___
Devl mailing list
Devl@freenetproject.org
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Why WoTs won't work....

[xor]

On Friday 22 May 2009 16:39:06 Evan Daniel wrote:
 On Fri, May 22, 2009 at 8:17 AM, Matthew Toseland

 t...@amphibian.dyndns.org wrote:
  On Friday 22 May 2009 08:17:55 bbac...@googlemail.com wrote:
  Is'nt his point that the users just won't maintain the trust lists?
  I thought that is the problem that he meant how can Advogato help us
 
  here?
 
  Advogato with only positive trust introduces a different tradeoff, which
  is still a major PITA to maintain, but maybe less of one:
  - Spammers only disappear when YOU mark them as spammers, or ALL the
  people you trust do. Right now they disappear when the majority, from the
  point of view of your position on the WoT, mark them as spammers (more or
  less).

 When they *fail to mark them as trusted*.  It's an important
 distinction, as it means that in order for the spammer to do anything
 they first have to *manually* build trust.  If an identity suddenly
 starts spamming, only people that originally marked it as trusted have
 to change their trust lists in order to stop them.

  - If you mark a spammer as positive because he posts useful content on
  one board, and you don't read the boards he spams you are likely to get
  marked as a spammer yourself.

 Depends how militant people are.  I suspect in practice people won't
 do this unless you trust a lot of spammers... in which case they have
 a point.  (This is also a case for distinguishing message trust from
 trust list trust; while Advogato doesn't do this, the security proof
 extends to cover it without trouble.)  You can take an in-between
 step: if Alice marks both Bob and Carol as trusted, and Bob marks
 Carol a spammer, Alice's software notices and alerts Alice, and offers
 to show Alice recent messages from Carol from other boards.
 (Algorithmically, publishing Sam is a spammer is no different from
 not publishing anything about Sam, but it makes some nice things
 possible from a UI standpoint.)  This may well get most of the benefit
 of ultimatums with lower complexity.

  - If a spammer doesn't spam himself, but gains trust through posting
  useful content on various boards and then spends this trust by trusting
  spam identities, it will be necessary to give him zero message list
  trust. Again this has serious issues with collateral damage, depending on
  how trigger-happy people are and how much of a problem it is for newbies
  to see spam.
 
  Technologically, this requires:
  - Changing WoT to only support positive trust. This is more or less a one
  line change.

 If all you want is positive trust only, yes.  If you want the security
 proof, it requires using the network flow algorithm as specified in
 the paper, which is a bit more complex.  IMHO, fussing with the
 algorithm in ways that don't let you apply the security proof is just
 trading one set of alchemy for another -- it might help, but I don't
 think it would be wise.

  - Making sure that my local ratings always override those given by
  others, so I can mark an identity as spam and never see it again. Dunno
  if this is currently implemented.
  - Making CAPTCHA announcement provide some form of short-lived trust, so
  if the newly introduced identity doesn't get some trust it goes away.
  This may also be implemented.

 My proposal: there are two levels of trust (implementation starts
 exactly as per Advogato levels).  The lower level is CAPTCHA trust;
 the higher is manually set only.  (This extends to multiple manual
 levels without loss of generality.)  First, the algorithm is run
 normally on the manual trust level.  Then, the algorithm is re-run on
 the CAPTCHA trust level, with modification: identities that received
 no manual trust have severely limited capacity (perhaps as low as 1),
 and the general set of capacity vs distance from root is changed to
 not go as deep.

 The first part means that the spammer can't chain identities *at all*
 before getting the top one manually trusted.  The second means that
 identities that only solved a CAPTCHA will only be seen by a small
 number of people -- ie they can't spam everyone.  The exact numbers
 for flow vs depth would need some tuning for both trust levels,
 obviously.  You want enough people to see new identities that they
 will receive manual trust.

It is absolutely INACCEPTABLE for a discussion system to only display messages 
of newbies to some people due to the nature of discussion:
- The *value* of a single post from a new identity which has posted a single 
message can be ANYTHING... it can be absolute crap... but it can also be a 
highly valuable secret document which reveals stuff which is interesting for 
millions of people. In other words: The fact that someone is a newbie does not 
say ANYTHING about the worth of his posts. In more other words: NO individual 
has the right to increase the worth of his posts - as in the amount of 
people reading them - by speaking very much on Freetalk and gaining lots of 
trust with that. EVERY SPEAKER SHALL BE EQUAL! 

Re: [freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Tue, May 26, 2009 at 4:45 PM, xor x...@gmx.li wrote:
 On Friday 22 May 2009 16:39:06 Evan Daniel wrote:
 On Fri, May 22, 2009 at 8:17 AM, Matthew Toseland

 t...@amphibian.dyndns.org wrote:
  On Friday 22 May 2009 08:17:55 bbac...@googlemail.com wrote:
  Is'nt his point that the users just won't maintain the trust lists?
  I thought that is the problem that he meant how can Advogato help us
 
  here?
 
  Advogato with only positive trust introduces a different tradeoff, which
  is still a major PITA to maintain, but maybe less of one:
  - Spammers only disappear when YOU mark them as spammers, or ALL the
  people you trust do. Right now they disappear when the majority, from the
  point of view of your position on the WoT, mark them as spammers (more or
  less).

 When they *fail to mark them as trusted*.  It's an important
 distinction, as it means that in order for the spammer to do anything
 they first have to *manually* build trust.  If an identity suddenly
 starts spamming, only people that originally marked it as trusted have
 to change their trust lists in order to stop them.

  - If you mark a spammer as positive because he posts useful content on
  one board, and you don't read the boards he spams you are likely to get
  marked as a spammer yourself.

 Depends how militant people are.  I suspect in practice people won't
 do this unless you trust a lot of spammers... in which case they have
 a point.  (This is also a case for distinguishing message trust from
 trust list trust; while Advogato doesn't do this, the security proof
 extends to cover it without trouble.)  You can take an in-between
 step: if Alice marks both Bob and Carol as trusted, and Bob marks
 Carol a spammer, Alice's software notices and alerts Alice, and offers
 to show Alice recent messages from Carol from other boards.
 (Algorithmically, publishing Sam is a spammer is no different from
 not publishing anything about Sam, but it makes some nice things
 possible from a UI standpoint.)  This may well get most of the benefit
 of ultimatums with lower complexity.

  - If a spammer doesn't spam himself, but gains trust through posting
  useful content on various boards and then spends this trust by trusting
  spam identities, it will be necessary to give him zero message list
  trust. Again this has serious issues with collateral damage, depending on
  how trigger-happy people are and how much of a problem it is for newbies
  to see spam.
 
  Technologically, this requires:
  - Changing WoT to only support positive trust. This is more or less a one
  line change.

 If all you want is positive trust only, yes.  If you want the security
 proof, it requires using the network flow algorithm as specified in
 the paper, which is a bit more complex.  IMHO, fussing with the
 algorithm in ways that don't let you apply the security proof is just
 trading one set of alchemy for another -- it might help, but I don't
 think it would be wise.

  - Making sure that my local ratings always override those given by
  others, so I can mark an identity as spam and never see it again. Dunno
  if this is currently implemented.
  - Making CAPTCHA announcement provide some form of short-lived trust, so
  if the newly introduced identity doesn't get some trust it goes away.
  This may also be implemented.

 My proposal: there are two levels of trust (implementation starts
 exactly as per Advogato levels).  The lower level is CAPTCHA trust;
 the higher is manually set only.  (This extends to multiple manual
 levels without loss of generality.)  First, the algorithm is run
 normally on the manual trust level.  Then, the algorithm is re-run on
 the CAPTCHA trust level, with modification: identities that received
 no manual trust have severely limited capacity (perhaps as low as 1),
 and the general set of capacity vs distance from root is changed to
 not go as deep.

 The first part means that the spammer can't chain identities *at all*
 before getting the top one manually trusted.  The second means that
 identities that only solved a CAPTCHA will only be seen by a small
 number of people -- ie they can't spam everyone.  The exact numbers
 for flow vs depth would need some tuning for both trust levels,
 obviously.  You want enough people to see new identities that they
 will receive manual trust.

 It is absolutely INACCEPTABLE for a discussion system to only display messages
 of newbies to some people due to the nature of discussion:
 - The *value* of a single post from a new identity which has posted a single
 message can be ANYTHING... it can be absolute crap... but it can also be a
 highly valuable secret document which reveals stuff which is interesting for
 millions of people. In other words: The fact that someone is a newbie does not
 say ANYTHING about the worth of his posts. In more other words: NO individual
 has the right to increase the worth of his posts - as in the amount of
 people reading them - by speaking very much on Freetalk and 

[freenet-dev] Why WoTs won't work....

[xor]

On Friday 22 May 2009 17:22:45 Evan Daniel wrote:
> No, that is not sufficient.  The attack that makes it necessary (which
> is also possible on FMS, btw -- in fact it's even more effective) is
> fairly simple.  A spammer gets a dummy identity trusted manually by
> other people.  He then has it mark several other identities as
> trustworthy.  Those identities then spam as much as is worthwhile
> (limited only by message count limits, basically).  The spammer then
> removes them from the dummy identity published trust list, adds new
> spamming identities, and repeats.  The result is that his one main
> identity can get a large quantity of spam through, even though it can
> only mark a limited number of child identities trusted and each of
> them can only send a limited amount of spam.

If the spammer removes them from his main identities identity's trust list, 
then Freetalk will not download messages from them any more because there is 
no "route of trust" from the root of the trust tree (your own identity) to the 
"several other identities"!  So the several other child identities will not 
have a positive score anymore.

- If he does not remove his child identities from his main identity's trust 
list, then getting rid of the spammer is a matter of distrusting his main 
identity.

At least that's how I've understood the current code of the WoT plugin. 
Correct me if I'm wrong..

-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: 

[freenet-dev] Why WoTs won't work....

[xor]

>
> No one can really censor FMS alright, BUT there IS a problem with those
> 'censored trust lists' anyway. The existance of censored trust lists forces
> users to actively maintain their own trust lists, the WoT wont work 'on its
> own' as it would if everyone used it the way it's supposed to.
>
> Let me try to explain: if everyone used wot to block flood attacks and
> nothing else, new users wouldnt need to try and find out which trust lists
> are 'good', they wouldnt need to work on thir trust lists for hours every
> day, try to spot censors or "guys who wont block pedos", they could simply
> use FMS and occasianlly set a high trust for someone they actually trust,
> or lower the trust for someone they caught spamming
>
> But the current situation makes FMS a pain in the ass. Users have to work
> on your trust lists regularly, and new users risk (and probably do) to have
> some of the content blocked by some censor because the guy posted one
> message on a board that the censor found 'immoral'.
>
> It may take time until the new user figures out which trust lists to use,
> and there's a very real risk that he would think that it isnt worth the
> hassle and give up on FMS completely. 

This is nonsense. As long as it works, people will not quit using FMS. People 
are lazy. If something works, they use it.

IF they quit something, the first thing which they quit will be to maintain 
their trust list. And that is acceptable, in a WoT not *everyone* has to 
maintain his trust list, only a certain amount of users.

>> I did that, others did that, and more
> will.
>
> THAT is the real problem with the Little Brothers, not their non-existent
> ability to censor content. they cant censor anything and they know it. But
> they can and do make FMS a pain in the ass to use.

It's not the software which is a pain in the ass to use, but the author of 
that post is making the usage a pain in the ass to himself: He forces himself 
to over-maintain his trust list which then annoys him? This is clearly not a 
bug in the software but a "human" misbehavior of the poster: He over-stresses 
himself and then loses motivation. Not the problem of software writers...

>
> Another problem is that, assuming that the fms community will survive
> (which i dontthink it will), it my end up split into a number of closed
> sub-communities that refuse to talk to each other. But this is only a
> guess, so far. We'll have to see how it turns out.

Yes, it is a guess. And it is completely acceptable. That's what also happens 
in our society, with different political groups, etc. It is human and 
inevitable.

>
> In the meantime, making FMS into a PITa has been done already, that is why
> FMS is as good as dead, and that's why I think that invesiting develpers'
> time and effort into WoT and Freetalk is a huge waste: FMS failed because
> of human stupidity and arrogance, and so will Freetalk/WoT, and I really
> cant understand why the devs cant see the obvious (or refuse to admit it)

Again this is nonsense: FMS failed because of a lack of users. And the lack of 
users came from it's difficult setup (running an extra binary, which has to be 
manually upgraded very often) and UI, and the fact that it is not integrated 
into fproxy so most Freenet newbies won't even get to see it.

All this will be solved by Freetalk via easy-to-use integration into fproxy.


-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: 

[freenet-dev] Why WoTs won't work....

[Arne Babenhauserheide]

On Saturday, 23. May 2009 16:06:51 Matthew Toseland wrote:
> People will game the system, no? If they think paedophiles are scum who
> should not be allowed to speak, and they realise that clicking "This is
> spam" is more effective than "This is crap", they will click the former,
> no?

Not if the penalty for marking something falsely as spam is to lose all trust 
for their own messages ("You falsely reported spam -> you're a spammer") while 
the "penalty" for thinking different is simply that their ratings won't be 
taken as seriously. 

(I hope the above is possible in the implementation). 

Best wishes, 
Arne

--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- 
   - singing a part of the history of free software -
  http://infinite-hands.draketo.de
-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: 

Re: [freenet-dev] Why WoTs won't work....

[xor]

 No one can really censor FMS alright, BUT there IS a problem with those
 'censored trust lists' anyway. The existance of censored trust lists forces
 users to actively maintain their own trust lists, the WoT wont work 'on its
 own' as it would if everyone used it the way it's supposed to.

 Let me try to explain: if everyone used wot to block flood attacks and
 nothing else, new users wouldnt need to try and find out which trust lists
 are 'good', they wouldnt need to work on thir trust lists for hours every
 day, try to spot censors or guys who wont block pedos, they could simply
 use FMS and occasianlly set a high trust for someone they actually trust,
 or lower the trust for someone they caught spamming

 But the current situation makes FMS a pain in the ass. Users have to work
 on your trust lists regularly, and new users risk (and probably do) to have
 some of the content blocked by some censor because the guy posted one
 message on a board that the censor found 'immoral'.

 It may take time until the new user figures out which trust lists to use,
 and there's a very real risk that he would think that it isnt worth the
 hassle and give up on FMS completely. 

This is nonsense. As long as it works, people will not quit using FMS. People 
are lazy. If something works, they use it.

IF they quit something, the first thing which they quit will be to maintain 
their trust list. And that is acceptable, in a WoT not *everyone* has to 
maintain his trust list, only a certain amount of users.

 I did that, others did that, and more
 will.

 THAT is the real problem with the Little Brothers, not their non-existent
 ability to censor content. they cant censor anything and they know it. But
 they can and do make FMS a pain in the ass to use.

It's not the software which is a pain in the ass to use, but the author of 
that post is making the usage a pain in the ass to himself: He forces himself 
to over-maintain his trust list which then annoys him… This is clearly not a 
bug in the software but a human misbehavior of the poster: He over-stresses 
himself and then loses motivation. Not the problem of software writers...


 Another problem is that, assuming that the fms community will survive
 (which i dontthink it will), it my end up split into a number of closed
 sub-communities that refuse to talk to each other. But this is only a
 guess, so far. We'll have to see how it turns out.

Yes, it is a guess. And it is completely acceptable. That's what also happens 
in our society, with different political groups, etc. It is human and 
inevitable.


 In the meantime, making FMS into a PITa has been done already, that is why
 FMS is as good as dead, and that's why I think that invesiting develpers'
 time and effort into WoT and Freetalk is a huge waste: FMS failed because
 of human stupidity and arrogance, and so will Freetalk/WoT, and I really
 cant understand why the devs cant see the obvious (or refuse to admit it)

Again this is nonsense: FMS failed because of a lack of users. And the lack of 
users came from it's difficult setup (running an extra binary, which has to be 
manually upgraded very often) and UI, and the fact that it is not integrated 
into fproxy so most Freenet newbies won't even get to see it.

All this will be solved by Freetalk via easy-to-use integration into fproxy.




signature.asc
Description: This is a digitally signed message part.
___
Devl mailing list
Devl@freenetproject.org
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Why WoTs won't work....

[xor]

On Friday 22 May 2009 17:22:45 Evan Daniel wrote:
 No, that is not sufficient.  The attack that makes it necessary (which
 is also possible on FMS, btw -- in fact it's even more effective) is
 fairly simple.  A spammer gets a dummy identity trusted manually by
 other people.  He then has it mark several other identities as
 trustworthy.  Those identities then spam as much as is worthwhile
 (limited only by message count limits, basically).  The spammer then
 removes them from the dummy identity published trust list, adds new
 spamming identities, and repeats.  The result is that his one main
 identity can get a large quantity of spam through, even though it can
 only mark a limited number of child identities trusted and each of
 them can only send a limited amount of spam.

If the spammer removes them from his main identities identity's trust list, 
then Freetalk will not download messages from them any more because there is 
no route of trust from the root of the trust tree (your own identity) to the 
several other identities!  So the several other child identities will not 
have a positive score anymore.

- If he does not remove his child identities from his main identity's trust 
list, then getting rid of the spammer is a matter of distrusting his main 
identity.

At least that's how I've understood the current code of the WoT plugin. 
Correct me if I'm wrong..



signature.asc
Description: This is a digitally signed message part.
___
Devl mailing list
Devl@freenetproject.org
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl

[freenet-dev] Why WoTs won't work....

[Mike Bush]

On Sat, 2009-05-23 at 15:06 +0100, Matthew Toseland wrote:
> On Saturday 23 May 2009 10:43:09 Arne Babenhauserheide wrote:
> > On Friday, 22. May 2009 23:10:42 Mike Bush wrote:
> > > I have been watching this debate an I was wondering whether it could
> > > help to have 2 sets of trust values for each identity in a trust list,
> > > this could mean you could mark an identity as spamming or that I don't
> > > want to see these posts again as i find them objectionable.
> > 
> > This is what Credence did in the end for spam detection on Gnutella, so it 
> > might fit the human psyche :) 
> > 
> > People got the option to say "that's bad quality or misleading", "I don't 
> > like 
> > it" or "that's spam". 
> > 
> > For messages that could be 
> > 
> > * "that ID posts spam"
> > * "that ID posts crap"
> > 
> > The first can easily be reviewed, the second is subjective. That would give 
> > a 
> > soft group censorship option, but give the useful spam detection to 
> > everyone. 
> > 
> > Best wishes, 
> > Arne
> > 
> > PS: Yes, I mostly just tried to clarify Mikes post for me. I hope the 
> > mail's 
> > useful to you nontheless. 
> 
> People will game the system, no? If they think paedophiles are scum who 
> should not be allowed to speak, and they realise that clicking "This is spam" 
> is more effective than "This is crap", they will click the former, no?

Yes but offering this could separate those who wish to mark what they
are objected to and don't wish to see from those who wish to censor
other peoples views of the service against their will. I don't think the
first group should be a problem if they have this option.

Surely it depends on what proportion are in each group, I've not used
FMS, maybe someone who uses it has some idea whether these groups exist.

[freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Sat, May 23, 2009 at 10:06 AM, Matthew Toseland
 wrote:
> On Saturday 23 May 2009 10:43:09 Arne Babenhauserheide wrote:
>> On Friday, 22. May 2009 23:10:42 Mike Bush wrote:
>> > I have been watching this debate an I was wondering whether it could
>> > help to have 2 sets of trust values for each identity in a trust list,
>> > this could mean you could mark an identity as spamming or that I don't
>> > want to see these posts again as i find them objectionable.
>>
>> This is what Credence did in the end for spam detection on Gnutella, so it
>> might fit the human psyche :)
>>
>> People got the option to say "that's bad quality or misleading", "I don't 
>> like
>> it" or "that's spam".
>>
>> For messages that could be
>>
>> * "that ID posts spam"
>> * "that ID posts crap"
>>
>> The first can easily be reviewed, the second is subjective. That would give a
>> soft group censorship option, but give the useful spam detection to everyone.
>>
>> Best wishes,
>> Arne
>>
>> PS: Yes, I mostly just tried to clarify Mikes post for me. I hope the mail's
>> useful to you nontheless.
>
> People will game the system, no? If they think paedophiles are scum who 
> should not be allowed to speak, and they realise that clicking "This is spam" 
> is more effective than "This is crap", they will click the former, no?

I would assume that's the normal case.  OTOH, there isn't much harm in
implementing it, and if some people use it, that would help
somewhat...  Perhaps implement, but not required for initial release?

Evan Daniel

[freenet-dev] Why WoTs won't work....

[Matthew Toseland]

On Friday 22 May 2009 22:38:43 Evan Daniel wrote:
> On Fri, May 22, 2009 at 5:03 PM, Matthew Toseland
>  wrote:
> >>  - Making CAPTCHA announcement provide some form of short-lived trust, 
> >>  so if
> >>  the newly introduced identity doesn't get some trust it goes away. 
> >>  This may
> >>  also be implemented.
> >> >>> This would require adding trust to new people, As you can see with 
> >> >>> FMS, having everyone spending
> >> >>> dayly time on trustlist adjustments is just an idea, which wont come 
> >> >>> true. So this would mean that
> >> >>> every identity that is not very active will loose any trust and would 
> >> >>> have to introduce himself
> >> >>> again. More pain and work resulting in less users.
> >> >>
> >> >> See my proposal (other mail in this thread, also discussed
> >> >> previously). ?Short-range but long-lived trust is a better substitute,
> >> >> imho.
> >> >
> >> > I would call it censorship because those that see you because of captcha 
> >> > announcement can themselves
> >> > say what happens,
> >> > -if they dont give you trust, most wont see you => you are lost, are 
> >> > censored
> >> > -if the give you trust, everyone will see you => not censored
> >> >
> >> > This would give a small group of people the chance to censor newly 
> >> > announced identities (also the
> >> > group may be different for every identity).
> >>
> >> Then use a more permissive capacity:distance function. ?There is no
> >> requirement that you use a shorter range function, or that you use the
> >> same function as everyone else. ?IMHO, the default should be somewhat
> >> shorter range, in an attempt to balance the number of people that see
> >> new identities. ?As you observe, too few leads to censorship
> >> possibilities (out of malice or just plain laziness). ?Too many means
> >> that an identity with CAPTCHA trust only can spam and have everyone
> >> see that spam, which provides the spammer a reasonably efficient way
> >> to send spam.
> >
> > So it's a tradeoff which can be easily configured by the user.
> 
> Yes.  As always, intelligent defaults are important; they should be
> applicable to most newbies, but don't need to meet everyone's needs.
> And if you change it unwisely, you hurt only yourself (other people
> don't even notice).
> 
> >
> > I agree with pretty much all of the above, but the medium-term worry is 
> > that we will start to have to worry about those who trust spammers, and 
> > those who trust those who trust spammers. By eliminating negative trust, 
> > Advogato forces us to either tolerate a certain (and unclear) amount of 
> > spam, or spend a lot of effort on hunting down those who trust spammers, 
> > resulting in massive collateral damage.
> >> >>
> >> >> Also, what do you mean by review of identities added from others?
> >> >> Surely you don't mean that I should have to manually review every
> >> >> poster? ?Isn't the whole point of using a wot in the first place that
> >> >> I can get good trust estimates of people I've never seen before?
> >> >
> >> > In FMS, there is currently a simple page, where the latest added 
> >> > identities are listed and how they
> >> > where listed. So if you get many spamming identities and they are all 
> >> > added from 1 trusted peer,
> >> > just remove his trustlist trust and all those new spamming identities 
> >> > wont reach you.
> >
> > We want to make it easy, or nobody will do it. Poring over your trust list 
> > day after day is not most people's idea of fun.
> >
> > There are three approaches, given positive trust only. Depending on the 
> > level of effort exerted by the spammer, we move from one tradeoff between 
> > spam resistance and censorship resistance to the next. IMHO the last stage 
> > involves significant risk of censorship or at least collateral damage, 
> > while obviously having the strongest spam resistance.
> >
> > The first approach is to mark spammers as spammers, and limit the capacity 
> > of trusted identities to create new spammers by for example limits on the 
> > number of identities that can change in a trust list in one day. This means 
> > that everyone will have to mark all the spam identities as spam, much as in 
> > Frost with the Alice bot. It will deter newbies, but it should be usable 
> > for the determined. Note that it is *essential* on a positive trust only 
> > network that our spam markings override others' positive trust levels.
> >
> > The second approach is when we mark an identity as spam, WoT realises that 
> > an identity trusting that spammer also trusts a lot of other spammers, and 
> > proposes that we mark the parent identity as a spammer, at least for 
> > purposes of trust list trust. Hopefully this will be enough. The cost for 
> > every user will be to mark a few spammer posts as spam, and then accept 
> > WoT's recommendation to mark the parent as spammer. "A few" will be an 
> > arbitrary parameter that will have to be argued about, higher 

[freenet-dev] Why WoTs won't work....

[Matthew Toseland]

On Saturday 23 May 2009 10:43:09 Arne Babenhauserheide wrote:
> On Friday, 22. May 2009 23:10:42 Mike Bush wrote:
> > I have been watching this debate an I was wondering whether it could
> > help to have 2 sets of trust values for each identity in a trust list,
> > this could mean you could mark an identity as spamming or that I don't
> > want to see these posts again as i find them objectionable.
> 
> This is what Credence did in the end for spam detection on Gnutella, so it 
> might fit the human psyche :) 
> 
> People got the option to say "that's bad quality or misleading", "I don't 
> like 
> it" or "that's spam". 
> 
> For messages that could be 
> 
> * "that ID posts spam"
> * "that ID posts crap"
> 
> The first can easily be reviewed, the second is subjective. That would give a 
> soft group censorship option, but give the useful spam detection to everyone. 
> 
> Best wishes, 
> Arne
> 
> PS: Yes, I mostly just tried to clarify Mikes post for me. I hope the mail's 
> useful to you nontheless. 

People will game the system, no? If they think paedophiles are scum who should 
not be allowed to speak, and they realise that clicking "This is spam" is more 
effective than "This is crap", they will click the former, no?
-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: 

[freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Sat, May 23, 2009 at 10:10 AM, Matthew Toseland
 wrote:
>> > We want to make it easy, or nobody will do it. Poring over your trust list 
>> > day after day is not most people's idea of fun.
>> >
>> > There are three approaches, given positive trust only. Depending on the 
>> > level of effort exerted by the spammer, we move from one tradeoff between 
>> > spam resistance and censorship resistance to the next. IMHO the last stage 
>> > involves significant risk of censorship or at least collateral damage, 
>> > while obviously having the strongest spam resistance.
>> >
>> > The first approach is to mark spammers as spammers, and limit the capacity 
>> > of trusted identities to create new spammers by for example limits on the 
>> > number of identities that can change in a trust list in one day. This 
>> > means that everyone will have to mark all the spam identities as spam, 
>> > much as in Frost with the Alice bot. It will deter newbies, but it should 
>> > be usable for the determined. Note that it is *essential* on a positive 
>> > trust only network that our spam markings override others' positive trust 
>> > levels.
>> >
>> > The second approach is when we mark an identity as spam, WoT realises that 
>> > an identity trusting that spammer also trusts a lot of other spammers, and 
>> > proposes that we mark the parent identity as a spammer, at least for 
>> > purposes of trust list trust. Hopefully this will be enough. The cost for 
>> > every user will be to mark a few spammer posts as spam, and then accept 
>> > WoT's recommendation to mark the parent as spammer. "A few" will be an 
>> > arbitrary parameter that will have to be argued about, higher means less 
>> > chance of marking non-spammers as spammers, but at the cost of seeing more 
>> > spam.
>> >
>> > The third approach is that when we mark the parent identity as spam, WoT 
>> > suggests marking those who trust the parent identity also as spammers for 
>> > purposes of trust list trust (if we trust them; if we don't, it's not our 
>> > problem; we are trying to optimise the network *for other people*, 
>> > particularly for newbies, here). We can try to be polite about this using 
>> > ultimatums, since it's likely that they didn't deliberately choose to 
>> > trust the spam-parent knowing he is a spam-parent - but if they don't 
>> > respond in some period by removing him from their trust list, we will have 
>> > to reduce our trust in them. This will cause collateral damage and may be 
>> > abused for censorship which might be even more dangerous than the current 
>> > problems on FMS. However, if there is a LOT of spam, or if we want the 
>> > network to be fairly spam-free for newbies, the first two options are 
>> > insufficient. :|
>>
>> I'm not certain you're correct about this. ?The first two methods are,
>> imho, sufficient to limit spam to levels that are annoying, but where
>> the network is still usable. ?Even if they download a bunch of
>> messages, a new user only has to click the "spam" button once per
>> spamming identity, and those are limited in a well defined manner
>> (linear with modest coefficient with the number of dummy identities
>> the spammer is willing to maintain).
>>
>> My suspicion is that if all they can aspire to be is a nuisance, the
>> spammers won't be nearly as interested. ?There is much more appeal to
>> being able to DoS a board or the whole network than being able to
>> mildly annoy the users. ?So if we limit the amount of damage they can
>> do to a sane level, the actual amount of damage done will be
>> noticeably less than that limit.
>
> Can we agree that we should implement the second option in WoT then?

Yes, though I think it should default to only alerting the user in the
case of relatively obvious abuse.  As part of that I think it should
give the identity in question a modest grace period to correct its
trust list (if trust lists are published daily, 2 days seems
appropriate).  Given the churn rate limits, I don't think that's an
issue.

>>
>> There is another possible optimization we could do (I've just thought
>> of it, and I'm not entirely certain that it works or that I like it).
>> Suppose that Alice trusts Bob trusts Carol (legitimate but confused)
>> trusts Sam (a spammer), and Alice is busy computing her trust list.
>> Bob has (correctly) marked Sam as a spammer. ?In the basic
>> implementation, Alice will accept Sam. ?Bob may think that Carol is
>> normally correct (and not malicious), and be unwilling to zero out his
>> trust list trust for her. ?However, since this is a flow computation,
>> we can place an added restriction: when Alice calculates trust, flow
>> passing through Bob may not arrive at Sam even if there are
>> intermediate nodes. ?If Alice can find an alternate route for flow to
>> go from Alice to Carol or Sam, she will accept Sam.
>>
>> This modification is in some ways a negative trust feature, since
>> Bob's marking of Sam as a spammer is different from 

[freenet-dev] Why WoTs won't work....

[Arne Babenhauserheide]

On Friday, 22. May 2009 23:10:42 Mike Bush wrote:
> I have been watching this debate an I was wondering whether it could
> help to have 2 sets of trust values for each identity in a trust list,
> this could mean you could mark an identity as spamming or that I don't
> want to see these posts again as i find them objectionable.

This is what Credence did in the end for spam detection on Gnutella, so it 
might fit the human psyche :) 

People got the option to say "that's bad quality or misleading", "I don't like 
it" or "that's spam". 

For messages that could be 

* "that ID posts spam"
* "that ID posts crap"

The first can easily be reviewed, the second is subjective. That would give a 
soft group censorship option, but give the useful spam detection to everyone. 

Best wishes, 
Arne

PS: Yes, I mostly just tried to clarify Mikes post for me. I hope the mail's 
useful to you nontheless. 

--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- 
   - singing a part of the history of free software -
  http://infinite-hands.draketo.de
-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: 

[freenet-dev] Why WoTs won't work....

[Victor Denisov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

> In contrast, Advogato has multiple levels of trust, and each identity
> either trusts or does not trust each other identity at a given level.
...
> This implies running Ford-Fulkerson or similar; it's more complicated
> than the current system, though not drastically so.
> http://en.wikipedia.org/wiki/Ford-Fulkerson_algorithm

I don't know if it's common knowledge, but there's a relatively
well-written implementation of Advogato trust metric in Java, available
here: http://www.saddi.com/projects/index.html.
I hadn't reviewed it personally, but several of my students used it
successfully in their trust-related research.

Regards,
Victor Denisov.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKFxl6x7AVSvyjsUARAld2AJ0aFU+OB7M7r2EQ2Z+UGDuK9G8OAwCeORwe
Ye1A8m+eGgr6IOdnqWtRvFs=
=Jz8e
-END PGP SIGNATURE-

Re: [freenet-dev] Why WoTs won't work....

[Arne Babenhauserheide]

On Friday, 22. May 2009 23:10:42 Mike Bush wrote:
 I have been watching this debate an I was wondering whether it could
 help to have 2 sets of trust values for each identity in a trust list,
 this could mean you could mark an identity as spamming or that I don't
 want to see these posts again as i find them objectionable.

This is what Credence did in the end for spam detection on Gnutella, so it 
might fit the human psyche :) 

People got the option to say that's bad quality or misleading, I don't like 
it or that's spam. 

For messages that could be 

* that ID posts spam
* that ID posts crap

The first can easily be reviewed, the second is subjective. That would give a 
soft group censorship option, but give the useful spam detection to everyone. 

Best wishes, 
Arne

PS: Yes, I mostly just tried to clarify Mikes post for me. I hope the mail's 
useful to you nontheless. 

--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- 
   - singing a part of the history of free software -
  http://infinite-hands.draketo.de


signature.asc
Description: This is a digitally signed message part.
___
Devl mailing list
Devl@freenetproject.org
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Why WoTs won't work....

[Matthew Toseland]

On Saturday 23 May 2009 10:43:09 Arne Babenhauserheide wrote:
 On Friday, 22. May 2009 23:10:42 Mike Bush wrote:
  I have been watching this debate an I was wondering whether it could
  help to have 2 sets of trust values for each identity in a trust list,
  this could mean you could mark an identity as spamming or that I don't
  want to see these posts again as i find them objectionable.
 
 This is what Credence did in the end for spam detection on Gnutella, so it 
 might fit the human psyche :) 
 
 People got the option to say that's bad quality or misleading, I don't 
 like 
 it or that's spam. 
 
 For messages that could be 
 
 * that ID posts spam
 * that ID posts crap
 
 The first can easily be reviewed, the second is subjective. That would give a 
 soft group censorship option, but give the useful spam detection to everyone. 
 
 Best wishes, 
 Arne
 
 PS: Yes, I mostly just tried to clarify Mikes post for me. I hope the mail's 
 useful to you nontheless. 

People will game the system, no? If they think paedophiles are scum who should 
not be allowed to speak, and they realise that clicking This is spam is more 
effective than This is crap, they will click the former, no?


signature.asc
Description: This is a digitally signed message part.
___
Devl mailing list
Devl@freenetproject.org
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Sat, May 23, 2009 at 10:10 AM, Matthew Toseland
t...@amphibian.dyndns.org wrote:
  We want to make it easy, or nobody will do it. Poring over your trust list 
  day after day is not most people's idea of fun.
 
  There are three approaches, given positive trust only. Depending on the 
  level of effort exerted by the spammer, we move from one tradeoff between 
  spam resistance and censorship resistance to the next. IMHO the last stage 
  involves significant risk of censorship or at least collateral damage, 
  while obviously having the strongest spam resistance.
 
  The first approach is to mark spammers as spammers, and limit the capacity 
  of trusted identities to create new spammers by for example limits on the 
  number of identities that can change in a trust list in one day. This 
  means that everyone will have to mark all the spam identities as spam, 
  much as in Frost with the Alice bot. It will deter newbies, but it should 
  be usable for the determined. Note that it is *essential* on a positive 
  trust only network that our spam markings override others' positive trust 
  levels.
 
  The second approach is when we mark an identity as spam, WoT realises that 
  an identity trusting that spammer also trusts a lot of other spammers, and 
  proposes that we mark the parent identity as a spammer, at least for 
  purposes of trust list trust. Hopefully this will be enough. The cost for 
  every user will be to mark a few spammer posts as spam, and then accept 
  WoT's recommendation to mark the parent as spammer. A few will be an 
  arbitrary parameter that will have to be argued about, higher means less 
  chance of marking non-spammers as spammers, but at the cost of seeing more 
  spam.
 
  The third approach is that when we mark the parent identity as spam, WoT 
  suggests marking those who trust the parent identity also as spammers for 
  purposes of trust list trust (if we trust them; if we don't, it's not our 
  problem; we are trying to optimise the network *for other people*, 
  particularly for newbies, here). We can try to be polite about this using 
  ultimatums, since it's likely that they didn't deliberately choose to 
  trust the spam-parent knowing he is a spam-parent - but if they don't 
  respond in some period by removing him from their trust list, we will have 
  to reduce our trust in them. This will cause collateral damage and may be 
  abused for censorship which might be even more dangerous than the current 
  problems on FMS. However, if there is a LOT of spam, or if we want the 
  network to be fairly spam-free for newbies, the first two options are 
  insufficient. :|

 I'm not certain you're correct about this.  The first two methods are,
 imho, sufficient to limit spam to levels that are annoying, but where
 the network is still usable.  Even if they download a bunch of
 messages, a new user only has to click the spam button once per
 spamming identity, and those are limited in a well defined manner
 (linear with modest coefficient with the number of dummy identities
 the spammer is willing to maintain).

 My suspicion is that if all they can aspire to be is a nuisance, the
 spammers won't be nearly as interested.  There is much more appeal to
 being able to DoS a board or the whole network than being able to
 mildly annoy the users.  So if we limit the amount of damage they can
 do to a sane level, the actual amount of damage done will be
 noticeably less than that limit.

 Can we agree that we should implement the second option in WoT then?

Yes, though I think it should default to only alerting the user in the
case of relatively obvious abuse.  As part of that I think it should
give the identity in question a modest grace period to correct its
trust list (if trust lists are published daily, 2 days seems
appropriate).  Given the churn rate limits, I don't think that's an
issue.


 There is another possible optimization we could do (I've just thought
 of it, and I'm not entirely certain that it works or that I like it).
 Suppose that Alice trusts Bob trusts Carol (legitimate but confused)
 trusts Sam (a spammer), and Alice is busy computing her trust list.
 Bob has (correctly) marked Sam as a spammer.  In the basic
 implementation, Alice will accept Sam.  Bob may think that Carol is
 normally correct (and not malicious), and be unwilling to zero out his
 trust list trust for her.  However, since this is a flow computation,
 we can place an added restriction: when Alice calculates trust, flow
 passing through Bob may not arrive at Sam even if there are
 intermediate nodes.  If Alice can find an alternate route for flow to
 go from Alice to Carol or Sam, she will accept Sam.

 This modification is in some ways a negative trust feature, since
 Bob's marking of Sam as a spammer is different from silence.  However,
 it doesn't let Bob censor anyone he couldn't censor by removing Carol
 from his trust list.  Under no circumstances will Alice using Bob's
 trust list 

Re: [freenet-dev] Why WoTs won't work....

[Matthew Toseland]

On Friday 22 May 2009 22:38:43 Evan Daniel wrote:
 On Fri, May 22, 2009 at 5:03 PM, Matthew Toseland
 t...@amphibian.dyndns.org wrote:
   - Making CAPTCHA announcement provide some form of short-lived trust, 
   so if
   the newly introduced identity doesn't get some trust it goes away. 
   This may
   also be implemented.
   This would require adding trust to new people, As you can see with 
   FMS, having everyone spending
   dayly time on trustlist adjustments is just an idea, which wont come 
   true. So this would mean that
   every identity that is not very active will loose any trust and would 
   have to introduce himself
   again. More pain and work resulting in less users.
  
   See my proposal (other mail in this thread, also discussed
   previously).  Short-range but long-lived trust is a better substitute,
   imho.
  
   I would call it censorship because those that see you because of captcha 
   announcement can themselves
   say what happens,
   -if they dont give you trust, most wont see you = you are lost, are 
   censored
   -if the give you trust, everyone will see you = not censored
  
   This would give a small group of people the chance to censor newly 
   announced identities (also the
   group may be different for every identity).
 
  Then use a more permissive capacity:distance function.  There is no
  requirement that you use a shorter range function, or that you use the
  same function as everyone else.  IMHO, the default should be somewhat
  shorter range, in an attempt to balance the number of people that see
  new identities.  As you observe, too few leads to censorship
  possibilities (out of malice or just plain laziness).  Too many means
  that an identity with CAPTCHA trust only can spam and have everyone
  see that spam, which provides the spammer a reasonably efficient way
  to send spam.
 
  So it's a tradeoff which can be easily configured by the user.
 
 Yes.  As always, intelligent defaults are important; they should be
 applicable to most newbies, but don't need to meet everyone's needs.
 And if you change it unwisely, you hurt only yourself (other people
 don't even notice).
 
 
  I agree with pretty much all of the above, but the medium-term worry is 
  that we will start to have to worry about those who trust spammers, and 
  those who trust those who trust spammers. By eliminating negative trust, 
  Advogato forces us to either tolerate a certain (and unclear) amount of 
  spam, or spend a lot of effort on hunting down those who trust spammers, 
  resulting in massive collateral damage.
  
   Also, what do you mean by review of identities added from others?
   Surely you don't mean that I should have to manually review every
   poster?  Isn't the whole point of using a wot in the first place that
   I can get good trust estimates of people I've never seen before?
  
   In FMS, there is currently a simple page, where the latest added 
   identities are listed and how they
   where listed. So if you get many spamming identities and they are all 
   added from 1 trusted peer,
   just remove his trustlist trust and all those new spamming identities 
   wont reach you.
 
  We want to make it easy, or nobody will do it. Poring over your trust list 
  day after day is not most people's idea of fun.
 
  There are three approaches, given positive trust only. Depending on the 
  level of effort exerted by the spammer, we move from one tradeoff between 
  spam resistance and censorship resistance to the next. IMHO the last stage 
  involves significant risk of censorship or at least collateral damage, 
  while obviously having the strongest spam resistance.
 
  The first approach is to mark spammers as spammers, and limit the capacity 
  of trusted identities to create new spammers by for example limits on the 
  number of identities that can change in a trust list in one day. This means 
  that everyone will have to mark all the spam identities as spam, much as in 
  Frost with the Alice bot. It will deter newbies, but it should be usable 
  for the determined. Note that it is *essential* on a positive trust only 
  network that our spam markings override others' positive trust levels.
 
  The second approach is when we mark an identity as spam, WoT realises that 
  an identity trusting that spammer also trusts a lot of other spammers, and 
  proposes that we mark the parent identity as a spammer, at least for 
  purposes of trust list trust. Hopefully this will be enough. The cost for 
  every user will be to mark a few spammer posts as spam, and then accept 
  WoT's recommendation to mark the parent as spammer. A few will be an 
  arbitrary parameter that will have to be argued about, higher means less 
  chance of marking non-spammers as spammers, but at the cost of seeing more 
  spam.
 
  The third approach is that when we mark the parent identity as spam, WoT 
  suggests marking those who trust the parent identity also as spammers for 
  purposes of trust list 

Re: [freenet-dev] Why WoTs won't work....

[Mike Bush]

On Sat, 2009-05-23 at 15:06 +0100, Matthew Toseland wrote:
 On Saturday 23 May 2009 10:43:09 Arne Babenhauserheide wrote:
  On Friday, 22. May 2009 23:10:42 Mike Bush wrote:
   I have been watching this debate an I was wondering whether it could
   help to have 2 sets of trust values for each identity in a trust list,
   this could mean you could mark an identity as spamming or that I don't
   want to see these posts again as i find them objectionable.
  
  This is what Credence did in the end for spam detection on Gnutella, so it 
  might fit the human psyche :) 
  
  People got the option to say that's bad quality or misleading, I don't 
  like 
  it or that's spam. 
  
  For messages that could be 
  
  * that ID posts spam
  * that ID posts crap
  
  The first can easily be reviewed, the second is subjective. That would give 
  a 
  soft group censorship option, but give the useful spam detection to 
  everyone. 
  
  Best wishes, 
  Arne
  
  PS: Yes, I mostly just tried to clarify Mikes post for me. I hope the 
  mail's 
  useful to you nontheless. 
 
 People will game the system, no? If they think paedophiles are scum who 
 should not be allowed to speak, and they realise that clicking This is spam 
 is more effective than This is crap, they will click the former, no?

Yes but offering this could separate those who wish to mark what they
are objected to and don't wish to see from those who wish to censor
other peoples views of the service against their will. I don't think the
first group should be a problem if they have this option.

Surely it depends on what proportion are in each group, I've not used
FMS, maybe someone who uses it has some idea whether these groups exist.

___
Devl mailing list
Devl@freenetproject.org
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Sat, May 23, 2009 at 10:06 AM, Matthew Toseland
t...@amphibian.dyndns.org wrote:
 On Saturday 23 May 2009 10:43:09 Arne Babenhauserheide wrote:
 On Friday, 22. May 2009 23:10:42 Mike Bush wrote:
  I have been watching this debate an I was wondering whether it could
  help to have 2 sets of trust values for each identity in a trust list,
  this could mean you could mark an identity as spamming or that I don't
  want to see these posts again as i find them objectionable.

 This is what Credence did in the end for spam detection on Gnutella, so it
 might fit the human psyche :)

 People got the option to say that's bad quality or misleading, I don't 
 like
 it or that's spam.

 For messages that could be

 * that ID posts spam
 * that ID posts crap

 The first can easily be reviewed, the second is subjective. That would give a
 soft group censorship option, but give the useful spam detection to everyone.

 Best wishes,
 Arne

 PS: Yes, I mostly just tried to clarify Mikes post for me. I hope the mail's
 useful to you nontheless.

 People will game the system, no? If they think paedophiles are scum who 
 should not be allowed to speak, and they realise that clicking This is spam 
 is more effective than This is crap, they will click the former, no?

I would assume that's the normal case.  OTOH, there isn't much harm in
implementing it, and if some people use it, that would help
somewhat...  Perhaps implement, but not required for initial release?

Evan Daniel
___
Devl mailing list
Devl@freenetproject.org
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Why WoTs won't work....

[Arne Babenhauserheide]

On Saturday, 23. May 2009 16:06:51 Matthew Toseland wrote:
 People will game the system, no? If they think paedophiles are scum who
 should not be allowed to speak, and they realise that clicking This is
 spam is more effective than This is crap, they will click the former,
 no?

Not if the penalty for marking something falsely as spam is to lose all trust 
for their own messages (You falsely reported spam - you're a spammer) while 
the penalty for thinking different is simply that their ratings won't be 
taken as seriously. 

(I hope the above is possible in the implementation). 

Best wishes, 
Arne

--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- 
   - singing a part of the history of free software -
  http://infinite-hands.draketo.de


signature.asc
Description: This is a digitally signed message part.
___
Devl mailing list
Devl@freenetproject.org
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl

[freenet-dev] Why WoTs won't work....

[Mike Bush]

I have been watching this debate an I was wondering whether it could
help to have 2 sets of trust values for each identity in a trust list,
this could mean you could mark an identity as spamming or that I don't
want to see these posts again as i find them objectionable.

The spam tag would mean that I think that no-one would be interested in
seeing this, and if someone argues against that setting it is very
valid.

If I had a moral objection to an identity's posts I can block them from
my own view of the service as well as others who wish to share my view
of what is objectionable. Those against censorship can still use the my
spammer trust list and ignore my censoring list but an argument against
me setting this is not valid as I state it is my personal view.

Personally I am against censorship in Freenet and that is why I wanted
to join the project, but if someone joins and feels they have an
obligation to stop themselves and their friends from seeing certain
things I think the option should be available. I would be interested to
hear if this has been considered.

mikeb

[freenet-dev] Why WoTs won't work....

[Matthew Toseland]

On Friday 22 May 2009 18:59:47 Evan Daniel wrote:
> On Fri, May 22, 2009 at 12:39 PM, Thomas Sachau  
> wrote:
> > Evan Daniel schrieb:
> >> On Fri, May 22, 2009 at 10:48 AM, Thomas Sachau  
> >> wrote:
> >>> Matthew Toseland schrieb:
>  On Friday 22 May 2009 08:17:55 bbackde at googlemail.com wrote:
> > Is'nt his point that the users just won't maintain the trust lists?
> > I thought that is the problem that he meant how can Advogato help us
> > here?
>  Advogato with only positive trust introduces a different tradeoff, which 
>  is
>  still a major PITA to maintain, but maybe less of one:
>  - Spammers only disappear when YOU mark them as spammers, or ALL the 
>  people
>  you trust do. Right now they disappear when the majority, from the point 
>  of
>  view of your position on the WoT, mark them as spammers (more or less).
> >>> So this is a disadvantage of avogato against current FMS implementation. 
> >>> With the current FMS
> >>> implementation, only a majority of trusted identities need to mark him 
> >>> down, with avogato, either
> >>> all original trusters need to mark him down or you need to do it yourself 
> >>> (either mark him down or
> >>> everyone, who trusts him, so
> >>> FMS 1:0 avogato
> >>
> >> As I've said repeatedly, I believe there is a fundamental tradeoff
> >> between spam resistance and censorship resistance, in the limiting
> >> case. ?(It's obviously possible to have an algorithm that does poorly
> >> at both.) ?Advogato *might* let more spam through than FMS. ?There is
> >> no proof provided for how much spam FMS lets through; with Advogato it
> >> is limited in a provable manner. ?Alchemy is a bad thing. ?FMS
> >> definitely makes censorship by the mob easier. ?By my count, that's a
> >> win for Advogato on both.
> >
> > I dont think you can divide between "spam resistance" and "censorship 
> > resistance" for a simple
> > reason: Who defines what sort of action or text is spam? Many people may 
> > mostly aggree about some
> > sort of action or content to be spam, but others could claim the reduced 
> > visibility censorship.
> > And i dont see any alchemy with the current trust system of FMS, if 
> > something is alchemy and not
> > clear, please point it out, but the exact point please.
> > And FMS does not make "censorship by a mob easier". Simply because you 
> > should select the people you
> > trust yourself. Like you should select your friends and darknet peers 
> > yourself. If you let others do
> > it for you, dont argue about what follows (like a censored view on FMS).
> 
> Yes, the spam and censorship problems are closely related.  That's why
> I say there is something of a tradeoff between them.  The problem with
> FMS should be obvious: if some small group actively tries to censor
> things I consider non-spam, then it requires a significant amount of
> effort by me to stop that.  I have to look at trust lists that mostly
> contain valid markings, and belong to real people posting real
> messages, and somehow determine that some of the entries on them are
> invalid, and then decide not to trust their trust list.  Furthermore,
> I have to do this without actually examining each entry on their trust
> list -- I'm trying to look at *less* spam here, not more.  The result
> is a balkanization of trust lists based on differing policies.  Any
> mistakes I make will go unnoticed, since I won't see the erroneously
> rejected messages.
> 
> In FMS, a group with permissive policies (spam filtering only) and a
> group that filtered content they found objectionable can't make
> effective use of each other's trust lists.  However, the former group
> would like to trust the not-spammer ratings made by the latter group,
> and the latter group would like to trust the spammer ratings made by
> the former.  AIUI, the balkanization of FMS trust lists largely
> prevents this.  Advogato would allow the permissive group to make use
> of the less permissive group's ratings, without allowing them to act
> as censors.
> 
> IMHO, the Advogato case is better for two reasons: first, favoring
> those who only want to stop spam over those who want to filter
> objectionable content is more consistent with the philosophy behind
> Freenet.  Second, spam filters of any sort should be biased towards
> type II errors, since they're less problematic and easier to correct.
> 
> Essentially, I think that FMS goes overboard in its attempts to reduce
> spam.  It is my firm belief that limiting the amount of spam that can
> be sent to a modest linear function of the amount of *manual* effort a
> spammer exerts is sufficient.  Spam is a problem in both Frost and
> email because spammers can simply run bots.  The cost of FMS, both in
> worry over mob censorship and work required to maintain trust lists,
> is very high.  I think that the total effort spent by the community
> would be reduced by the use of an algorithm that took more effort to
> stop 

[freenet-dev] Why WoTs won't work....

[Matthew Toseland]

On Friday 22 May 2009 15:39:06 Evan Daniel wrote:
> On Fri, May 22, 2009 at 8:17 AM, Matthew Toseland
>  wrote:
> > On Friday 22 May 2009 08:17:55 bbackde at googlemail.com wrote:
> >> Is'nt his point that the users just won't maintain the trust lists?
> >> I thought that is the problem that he meant how can Advogato help us
> > here?
> >
> > Advogato with only positive trust introduces a different tradeoff, which is
> > still a major PITA to maintain, but maybe less of one:
> > - Spammers only disappear when YOU mark them as spammers, or ALL the people
> > you trust do. Right now they disappear when the majority, from the point of
> > view of your position on the WoT, mark them as spammers (more or less).
> 
> When they *fail to mark them as trusted*.  It's an important
> distinction, as it means that in order for the spammer to do anything
> they first have to *manually* build trust.  If an identity suddenly
> starts spamming, only people that originally marked it as trusted have
> to change their trust lists in order to stop them.
> 
> > - If you mark a spammer as positive because he posts useful content on one
> > board, and you don't read the boards he spams you are likely to get marked 
> > as
> > a spammer yourself.
> 
> Depends how militant people are.  I suspect in practice people won't
> do this unless you trust a lot of spammers... in which case they have
> a point.  (This is also a case for distinguishing message trust from
> trust list trust; while Advogato doesn't do this, the security proof
> extends to cover it without trouble.)  You can take an in-between
> step: if Alice marks both Bob and Carol as trusted, and Bob marks
> Carol a spammer, Alice's software notices and alerts Alice, and offers
> to show Alice recent messages from Carol from other boards.
> (Algorithmically, publishing "Sam is a spammer" is no different from
> not publishing anything about Sam, but it makes some nice things
> possible from a UI standpoint.)  This may well get most of the benefit
> of ultimatums with lower complexity.

Right, this is something I keep forgetting to mention. When marking a user as a 
spammer, the UI should ask the user about people who trust that spammer and 
other spammers. However, it does encourage militancy, doesn't it? It certainly 
doesn't solve the problem the way that ultimatums do...
> 
> > - If a spammer doesn't spam himself, but gains trust through posting useful
> > content on various boards and then spends this trust by trusting spam
> > identities, it will be necessary to give him zero message list trust. Again
> > this has serious issues with collateral damage, depending on how
> > trigger-happy people are and how much of a problem it is for newbies to see
> > spam.
> >
> > Technologically, this requires:
> > - Changing WoT to only support positive trust. This is more or less a one 
> > line
> > change.
> 
> If all you want is positive trust only, yes.  If you want the security
> proof, it requires using the network flow algorithm as specified in
> the paper, which is a bit more complex.  IMHO, fussing with the
> algorithm in ways that don't let you apply the security proof is just
> trading one set of alchemy for another -- it might help, but I don't
> think it would be wise.

I was under the impression that WoT already used Advogato, apart from 
supporting negative trust values and therefore negative trust.
> 
> > - Making sure that my local ratings always override those given by others, 
> > so
> > I can mark an identity as spam and never see it again. Dunno if this is
> > currently implemented.
> > - Making CAPTCHA announcement provide some form of short-lived trust, so if
> > the newly introduced identity doesn't get some trust it goes away. This may
> > also be implemented.
> 
> My proposal: there are two levels of trust (implementation starts
> exactly as per Advogato levels).  The lower level is CAPTCHA trust;
> the higher is manually set only.  (This extends to multiple manual
> levels without loss of generality.)  First, the algorithm is run
> normally on the manual trust level.  Then, the algorithm is re-run on
> the CAPTCHA trust level, with modification: identities that received
> no manual trust have severely limited capacity (perhaps as low as 1),
> and the general set of capacity vs distance from root is changed to
> not go as deep.

Not bad. Currently CAPTCHA identities are seen by everyone iirc, this may be a 
desirable (if not scalable) property.
> 
> The first part means that the spammer can't chain identities *at all*
> before getting the top one manually trusted.  The second means that
> identities that only solved a CAPTCHA will only be seen by a small
> number of people -- ie they can't spam everyone.  The exact numbers
> for flow vs depth would need some tuning for both trust levels,
> obviously.  You want enough people to see new identities that they
> will receive manual trust.

Yeah... so far p0s has resisted any suggestion that any identity 

[freenet-dev] Why WoTs won't work....

[Luke771]

> FMS is as good as dead, and that's why I think that invesiting develpers' 
> time and effort into WoT and Freetalk is a huge waste: FMS failed because of 
> human stupidity and arrogance, and so will Freetalk/WoT, and I really cant 
> understand why the devs cant see the obvious (or refuse to admit it)
>   
>> BTW, I dont hate Falafel. Hate costs energy. A lot of it.
>> 
>  
> The devs don't care because there are no practical alternatives, and because 
> I 
> at least don't use FMS, since nobody I trust has reviewed it, and it can't be 
> bundled so I won't. However, evanbd's work on positive trust is worth 
> considering, see my other email.
>   

I know that. We talked about it on IRC and I agreed that even with all 
its flaws, WoT is actually the only feasible solution ATM.
I posted that message to Frost _before_ we talked about it on IRC, and I 
wouldnt have forwarded it here because the topic has been discussed more 
than enough.


A new "combo" client capable of running the "classic" Frost side by side 
with Freetalk could be a nice workaround, even tho not really a 
solution: a board on the old non-wot Frost could be used by an identity 
to ask for some _message_ trust if it's been made virtually invisible by 
the Little Brothers'  before anyone could give it any trust.

And yes, it can be spammed. make a new one then. The point is that an ID 
that has been unjustly blocked can ask for a second chance, and having 
to ask means that those who agree to give that ID some trust will watch 
him and will be ready to revoke that trust if he starts spamming, so 
asking for some trust and then abusing it is not gonna work.

[freenet-dev] Why WoTs won't work....

[Thomas Sachau]

Evan Daniel schrieb:
> On Fri, May 22, 2009 at 10:48 AM, Thomas Sachau  
> wrote:
>> Matthew Toseland schrieb:
>>> On Friday 22 May 2009 08:17:55 bbackde at googlemail.com wrote:
 Is'nt his point that the users just won't maintain the trust lists?
 I thought that is the problem that he meant how can Advogato help us
 here?
>>> Advogato with only positive trust introduces a different tradeoff, which is
>>> still a major PITA to maintain, but maybe less of one:
>>> - Spammers only disappear when YOU mark them as spammers, or ALL the people
>>> you trust do. Right now they disappear when the majority, from the point of
>>> view of your position on the WoT, mark them as spammers (more or less).
>> So this is a disadvantage of avogato against current FMS implementation. 
>> With the current FMS
>> implementation, only a majority of trusted identities need to mark him down, 
>> with avogato, either
>> all original trusters need to mark him down or you need to do it yourself 
>> (either mark him down or
>> everyone, who trusts him, so
>> FMS 1:0 avogato
> 
> As I've said repeatedly, I believe there is a fundamental tradeoff
> between spam resistance and censorship resistance, in the limiting
> case.  (It's obviously possible to have an algorithm that does poorly
> at both.)  Advogato *might* let more spam through than FMS.  There is
> no proof provided for how much spam FMS lets through; with Advogato it
> is limited in a provable manner.  Alchemy is a bad thing.  FMS
> definitely makes censorship by the mob easier.  By my count, that's a
> win for Advogato on both.

I dont think you can divide between "spam resistance" and "censorship 
resistance" for a simple
reason: Who defines what sort of action or text is spam? Many people may mostly 
aggree about some
sort of action or content to be spam, but others could claim the reduced 
visibility censorship.
And i dont see any alchemy with the current trust system of FMS, if something 
is alchemy and not
clear, please point it out, but the exact point please.
And FMS does not make "censorship by a mob easier". Simply because you should 
select the people you
trust yourself. Like you should select your friends and darknet peers yourself. 
If you let others do
it for you, dont argue about what follows (like a censored view on FMS).

>>> - Making CAPTCHA announcement provide some form of short-lived trust, so if
>>> the newly introduced identity doesn't get some trust it goes away. This may
>>> also be implemented.
>> This would require adding trust to new people, As you can see with FMS, 
>> having everyone spending
>> dayly time on trustlist adjustments is just an idea, which wont come true. 
>> So this would mean that
>> every identity that is not very active will loose any trust and would have 
>> to introduce himself
>> again. More pain and work resulting in less users.
> 
> See my proposal (other mail in this thread, also discussed
> previously).  Short-range but long-lived trust is a better substitute,
> imho.

I would call it censorship because those that see you because of captcha 
announcement can themselves
say what happens,
-if they dont give you trust, most wont see you => you are lost, are censored
-if the give you trust, everyone will see you => not censored

This would give a small group of people the chance to censor newly announced 
identities (also the
group may be different for every identity).

> 
>>> - Limits on identity churn in any trust list (1 new identity per day 
>>> averaged
>>> over a week or something), to ensure that an attacker who has trust cannot
>>> constantly add new identities.
>> Only the number of identities added because of solved captchas should be 
>> limited and the limit
>> number is the number of announced captchas, which should be more than around 
>> 1/day. For added
>> identities from others, you will always do some basic review, maybe with 
>> some advanced option to
>> remove all identities introduced by a specific identity.
> 
> No, that is not sufficient.  The attack that makes it necessary (which
> is also possible on FMS, btw -- in fact it's even more effective) is
> fairly simple.  A spammer gets a dummy identity trusted manually by
> other people.  He then has it mark several other identities as
> trustworthy.  Those identities then spam as much as is worthwhile
> (limited only by message count limits, basically).  The spammer then
> removes them from the dummy identity published trust list, adds new
> spamming identities, and repeats.  The result is that his one main
> identity can get a large quantity of spam through, even though it can
> only mark a limited number of child identities trusted and each of
> them can only send a limited amount of spam.
> 
> Also, what do you mean by review of identities added from others?
> Surely you don't mean that I should have to manually review every
> poster?  Isn't the whole point of using a wot in the first place that
> I can get good trust estimates of 

[freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Fri, May 22, 2009 at 5:03 PM, Matthew Toseland
 wrote:
>>  - Making CAPTCHA announcement provide some form of short-lived trust, 
>>  so if
>>  the newly introduced identity doesn't get some trust it goes away. This 
>>  may
>>  also be implemented.
>> >>> This would require adding trust to new people, As you can see with FMS, 
>> >>> having everyone spending
>> >>> dayly time on trustlist adjustments is just an idea, which wont come 
>> >>> true. So this would mean that
>> >>> every identity that is not very active will loose any trust and would 
>> >>> have to introduce himself
>> >>> again. More pain and work resulting in less users.
>> >>
>> >> See my proposal (other mail in this thread, also discussed
>> >> previously). ?Short-range but long-lived trust is a better substitute,
>> >> imho.
>> >
>> > I would call it censorship because those that see you because of captcha 
>> > announcement can themselves
>> > say what happens,
>> > -if they dont give you trust, most wont see you => you are lost, are 
>> > censored
>> > -if the give you trust, everyone will see you => not censored
>> >
>> > This would give a small group of people the chance to censor newly 
>> > announced identities (also the
>> > group may be different for every identity).
>>
>> Then use a more permissive capacity:distance function. ?There is no
>> requirement that you use a shorter range function, or that you use the
>> same function as everyone else. ?IMHO, the default should be somewhat
>> shorter range, in an attempt to balance the number of people that see
>> new identities. ?As you observe, too few leads to censorship
>> possibilities (out of malice or just plain laziness). ?Too many means
>> that an identity with CAPTCHA trust only can spam and have everyone
>> see that spam, which provides the spammer a reasonably efficient way
>> to send spam.
>
> So it's a tradeoff which can be easily configured by the user.

Yes.  As always, intelligent defaults are important; they should be
applicable to most newbies, but don't need to meet everyone's needs.
And if you change it unwisely, you hurt only yourself (other people
don't even notice).

>
> I agree with pretty much all of the above, but the medium-term worry is that 
> we will start to have to worry about those who trust spammers, and those who 
> trust those who trust spammers. By eliminating negative trust, Advogato 
> forces us to either tolerate a certain (and unclear) amount of spam, or spend 
> a lot of effort on hunting down those who trust spammers, resulting in 
> massive collateral damage.
>> >>
>> >> Also, what do you mean by review of identities added from others?
>> >> Surely you don't mean that I should have to manually review every
>> >> poster? ?Isn't the whole point of using a wot in the first place that
>> >> I can get good trust estimates of people I've never seen before?
>> >
>> > In FMS, there is currently a simple page, where the latest added 
>> > identities are listed and how they
>> > where listed. So if you get many spamming identities and they are all 
>> > added from 1 trusted peer,
>> > just remove his trustlist trust and all those new spamming identities wont 
>> > reach you.
>
> We want to make it easy, or nobody will do it. Poring over your trust list 
> day after day is not most people's idea of fun.
>
> There are three approaches, given positive trust only. Depending on the level 
> of effort exerted by the spammer, we move from one tradeoff between spam 
> resistance and censorship resistance to the next. IMHO the last stage 
> involves significant risk of censorship or at least collateral damage, while 
> obviously having the strongest spam resistance.
>
> The first approach is to mark spammers as spammers, and limit the capacity of 
> trusted identities to create new spammers by for example limits on the number 
> of identities that can change in a trust list in one day. This means that 
> everyone will have to mark all the spam identities as spam, much as in Frost 
> with the Alice bot. It will deter newbies, but it should be usable for the 
> determined. Note that it is *essential* on a positive trust only network that 
> our spam markings override others' positive trust levels.
>
> The second approach is when we mark an identity as spam, WoT realises that an 
> identity trusting that spammer also trusts a lot of other spammers, and 
> proposes that we mark the parent identity as a spammer, at least for purposes 
> of trust list trust. Hopefully this will be enough. The cost for every user 
> will be to mark a few spammer posts as spam, and then accept WoT's 
> recommendation to mark the parent as spammer. "A few" will be an arbitrary 
> parameter that will have to be argued about, higher means less chance of 
> marking non-spammers as spammers, but at the cost of seeing more spam.
>
> The third approach is that when we mark the parent identity as spam, WoT 
> suggests marking those who trust the parent identity also as 

[freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Fri, May 22, 2009 at 4:16 PM, Matthew Toseland
 wrote:
> On Friday 22 May 2009 15:39:06 Evan Daniel wrote:
>> On Fri, May 22, 2009 at 8:17 AM, Matthew Toseland
>>  wrote:
>> > On Friday 22 May 2009 08:17:55 bbackde at googlemail.com wrote:
>> >> Is'nt his point that the users just won't maintain the trust lists?
>> >> I thought that is the problem that he meant how can Advogato help us
>> > here?
>> >
>> > Advogato with only positive trust introduces a different tradeoff, which is
>> > still a major PITA to maintain, but maybe less of one:
>> > - Spammers only disappear when YOU mark them as spammers, or ALL the people
>> > you trust do. Right now they disappear when the majority, from the point of
>> > view of your position on the WoT, mark them as spammers (more or less).
>>
>> When they *fail to mark them as trusted*. ?It's an important
>> distinction, as it means that in order for the spammer to do anything
>> they first have to *manually* build trust. ?If an identity suddenly
>> starts spamming, only people that originally marked it as trusted have
>> to change their trust lists in order to stop them.
>>
>> > - If you mark a spammer as positive because he posts useful content on one
>> > board, and you don't read the boards he spams you are likely to get marked 
>> > as
>> > a spammer yourself.
>>
>> Depends how militant people are. ?I suspect in practice people won't
>> do this unless you trust a lot of spammers... in which case they have
>> a point. ?(This is also a case for distinguishing message trust from
>> trust list trust; while Advogato doesn't do this, the security proof
>> extends to cover it without trouble.) ?You can take an in-between
>> step: if Alice marks both Bob and Carol as trusted, and Bob marks
>> Carol a spammer, Alice's software notices and alerts Alice, and offers
>> to show Alice recent messages from Carol from other boards.
>> (Algorithmically, publishing "Sam is a spammer" is no different from
>> not publishing anything about Sam, but it makes some nice things
>> possible from a UI standpoint.) ?This may well get most of the benefit
>> of ultimatums with lower complexity.
>
> Right, this is something I keep forgetting to mention. When marking a user as 
> a spammer, the UI should ask the user about people who trust that spammer and 
> other spammers. However, it does encourage militancy, doesn't it? It 
> certainly doesn't solve the problem the way that ultimatums do...

I don't know how much militancy the software should encourage.  I'm
inclined to think it should start low, and then change it if that
doesn't work.

>>
>> > - If a spammer doesn't spam himself, but gains trust through posting useful
>> > content on various boards and then spends this trust by trusting spam
>> > identities, it will be necessary to give him zero message list trust. Again
>> > this has serious issues with collateral damage, depending on how
>> > trigger-happy people are and how much of a problem it is for newbies to see
>> > spam.
>> >
>> > Technologically, this requires:
>> > - Changing WoT to only support positive trust. This is more or less a one 
>> > line
>> > change.
>>
>> If all you want is positive trust only, yes. ?If you want the security
>> proof, it requires using the network flow algorithm as specified in
>> the paper, which is a bit more complex. ?IMHO, fussing with the
>> algorithm in ways that don't let you apply the security proof is just
>> trading one set of alchemy for another -- it might help, but I don't
>> think it would be wise.
>
> I was under the impression that WoT already used Advogato, apart from 
> supporting negative trust values and therefore negative trust.

The documentation mentions Advogato, and there are some diagrams that
relate to it, but none of the detailed description of the algorithm is
at all related.  Advogato is based on network flow computation.  WoT
as described on the freesite is not -- an identity with 40 trust
points is permitted to give up to 40 points *each* to any number of
child identities, with the actual number given determined by a trust
rating.

In contrast, Advogato has multiple levels of trust, and each identity
either trusts or does not trust each other identity at a given level.
The number of trust points an identity gets is based on capacity and
the optimal flow path.  It does not speak to how trustworthy that
identity is; at a given trust level, the algorithm either accepts or
does not accept a given identity.  Multiple trust levels (eg, a level
for captcha solving and a level for manual trust) implies running the
algorithm multiple times on different (though related) graphs; when
running at a given level, connections at that level and all higher
levels are used.

This implies running Ford-Fulkerson or similar; it's more complicated
than the current system, though not drastically so.
http://en.wikipedia.org/wiki/Ford-Fulkerson_algorithm

>>
>> > - Making sure that my local ratings always override those given by others, 

[freenet-dev] Why WoTs won't work....

[Thomas Sachau]

Matthew Toseland schrieb:
> On Friday 22 May 2009 08:17:55 bbackde at googlemail.com wrote:
>> Is'nt his point that the users just won't maintain the trust lists?
>> I thought that is the problem that he meant how can Advogato help us 
>> here?
> 
> Advogato with only positive trust introduces a different tradeoff, which is 
> still a major PITA to maintain, but maybe less of one:
> - Spammers only disappear when YOU mark them as spammers, or ALL the people 
> you trust do. Right now they disappear when the majority, from the point of 
> view of your position on the WoT, mark them as spammers (more or less).

So this is a disadvantage of avogato against current FMS implementation. With 
the current FMS
implementation, only a majority of trusted identities need to mark him down, 
with avogato, either
all original trusters need to mark him down or you need to do it yourself 
(either mark him down or
everyone, who trusts him, so
FMS 1:0 avogato

> - If you mark a spammer as positive because he posts useful content on one 
> board, and you don't read the boards he spams you are likely to get marked as 
> a spammer yourself.

If this is true for avogato, it is again a disadvantage. You should not be 
responsible for something
you dont see and did. In FMS, this would result in a reduced Trustlist Trust, 
which just means that
you are not trusted to introduce new identities, no spammer mark or similar, so
FMS 2:0 avogato

> - If a spammer doesn't spam himself, but gains trust through posting useful 
> content on various boards and then spends this trust by trusting spam 
> identities, it will be necessary to give him zero message list trust. Again 
> this has serious issues with collateral damage, depending on how 
> trigger-happy people are and how much of a problem it is for newbies to see 
> spam.

Again, disadvantage for avogato, if that is true, but basicly the same as 
above: This is solved via
reduced Trustlist Trust, not reducing message trust in FMS.

> Technologically, this requires:
> - Making sure that my local ratings always override those given by others, so 
> I can mark an identity as spam and never see it again. Dunno if this is 
> currently implemented.

This is possible with FMS (optional, either your vote is part of the final 
trust calculation or it
overrides the overall trust result).

> - Making CAPTCHA announcement provide some form of short-lived trust, so if 
> the newly introduced identity doesn't get some trust it goes away. This may 
> also be implemented.

This would require adding trust to new people, As you can see with FMS, having 
everyone spending
dayly time on trustlist adjustments is just an idea, which wont come true. So 
this would mean that
every identity that is not very active will loose any trust and would have to 
introduce himself
again. More pain and work resulting in less users.

> - Limits on identity churn in any trust list (1 new identity per day averaged 
> over a week or something), to ensure that an attacker who has trust cannot 
> constantly add new identities.

Only the number of identities added because of solved captchas should be 
limited and the limit
number is the number of announced captchas, which should be more than around 
1/day. For added
identities from others, you will always do some basic review, maybe with some 
advanced option to
remove all identities introduced by a specific identity.

> It probably also requires:
> - Some indication of which trusted identities trust a spammer when you mark 
> an 
> identity as a spammer.

In FMS, you can simply watch the list of trusts of the spammer identity to get 
this information.

> - Sending an ultimatum to the trusted identity that trusts more than one 
> spammer: stop trusting spammers or we'll stop trusting you. This would have 
> to be answered in a reasonable time, hence is a problem for those not 
> constantly at their nodes.

You may note him about if, if you want (either public, or if implemented via 
private message), but
basicly, why this warning? Does it help him in any way, if we trust him or does 
it harm him, if we
dont any more trust him? At least in FMS it does not change his visibility, but 
may change the
trustlist trust that others get for him and so may or may not include his 
trusts.

-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 315 bytes
Desc: OpenPGP digital signature
URL: 

[freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Fri, May 22, 2009 at 12:39 PM, Thomas Sachau  wrote:
> Evan Daniel schrieb:
>> On Fri, May 22, 2009 at 10:48 AM, Thomas Sachau  
>> wrote:
>>> Matthew Toseland schrieb:
 On Friday 22 May 2009 08:17:55 bbackde at googlemail.com wrote:
> Is'nt his point that the users just won't maintain the trust lists?
> I thought that is the problem that he meant how can Advogato help us
> here?
 Advogato with only positive trust introduces a different tradeoff, which is
 still a major PITA to maintain, but maybe less of one:
 - Spammers only disappear when YOU mark them as spammers, or ALL the people
 you trust do. Right now they disappear when the majority, from the point of
 view of your position on the WoT, mark them as spammers (more or less).
>>> So this is a disadvantage of avogato against current FMS implementation. 
>>> With the current FMS
>>> implementation, only a majority of trusted identities need to mark him 
>>> down, with avogato, either
>>> all original trusters need to mark him down or you need to do it yourself 
>>> (either mark him down or
>>> everyone, who trusts him, so
>>> FMS 1:0 avogato
>>
>> As I've said repeatedly, I believe there is a fundamental tradeoff
>> between spam resistance and censorship resistance, in the limiting
>> case. ?(It's obviously possible to have an algorithm that does poorly
>> at both.) ?Advogato *might* let more spam through than FMS. ?There is
>> no proof provided for how much spam FMS lets through; with Advogato it
>> is limited in a provable manner. ?Alchemy is a bad thing. ?FMS
>> definitely makes censorship by the mob easier. ?By my count, that's a
>> win for Advogato on both.
>
> I dont think you can divide between "spam resistance" and "censorship 
> resistance" for a simple
> reason: Who defines what sort of action or text is spam? Many people may 
> mostly aggree about some
> sort of action or content to be spam, but others could claim the reduced 
> visibility censorship.
> And i dont see any alchemy with the current trust system of FMS, if something 
> is alchemy and not
> clear, please point it out, but the exact point please.
> And FMS does not make "censorship by a mob easier". Simply because you should 
> select the people you
> trust yourself. Like you should select your friends and darknet peers 
> yourself. If you let others do
> it for you, dont argue about what follows (like a censored view on FMS).

Yes, the spam and censorship problems are closely related.  That's why
I say there is something of a tradeoff between them.  The problem with
FMS should be obvious: if some small group actively tries to censor
things I consider non-spam, then it requires a significant amount of
effort by me to stop that.  I have to look at trust lists that mostly
contain valid markings, and belong to real people posting real
messages, and somehow determine that some of the entries on them are
invalid, and then decide not to trust their trust list.  Furthermore,
I have to do this without actually examining each entry on their trust
list -- I'm trying to look at *less* spam here, not more.  The result
is a balkanization of trust lists based on differing policies.  Any
mistakes I make will go unnoticed, since I won't see the erroneously
rejected messages.

In FMS, a group with permissive policies (spam filtering only) and a
group that filtered content they found objectionable can't make
effective use of each other's trust lists.  However, the former group
would like to trust the not-spammer ratings made by the latter group,
and the latter group would like to trust the spammer ratings made by
the former.  AIUI, the balkanization of FMS trust lists largely
prevents this.  Advogato would allow the permissive group to make use
of the less permissive group's ratings, without allowing them to act
as censors.

IMHO, the Advogato case is better for two reasons: first, favoring
those who only want to stop spam over those who want to filter
objectionable content is more consistent with the philosophy behind
Freenet.  Second, spam filters of any sort should be biased towards
type II errors, since they're less problematic and easier to correct.

Essentially, I think that FMS goes overboard in its attempts to reduce
spam.  It is my firm belief that limiting the amount of spam that can
be sent to a modest linear function of the amount of *manual* effort a
spammer exerts is sufficient.  Spam is a problem in both Frost and
email because spammers can simply run bots.  The cost of FMS, both in
worry over mob censorship and work required to maintain trust lists,
is very high.  I think that the total effort spent by the community
would be reduced by the use of an algorithm that took more effort to
stop spammers, and less effort to enable normal communications.  We
need to be aware of what we optimize for, and make sure it's really
what we want.

I've explained why FMS is alchemy before, but it's an important point,
so I don't mind repeating it.  FMS 

[freenet-dev] Why WoTs won't work....

[Matthew Toseland]

On Saturday 09 May 2009 17:57:41 gulli at gmx.org wrote:
> Interesting discussion from Frost, especially the last post at the bottom. 
Its about WoTs in general and why they won't work.
> 
> 
> 
> - Hahahahah at YLE3ZHs5LkiwE3FdJyQlcF5+RkA - 2009.04.05 - 
02:28:11GMT -
> 
> I had to forward this one here.
> 
> --- jezreel?X~GLTTHo9aaYtIpGT6OOyBMMFwl3b8LwFu6TUw9Q82E sent via FMS on 
2009-04-05 at 01:31:54GMT ---
> 
> Probably not an amazing subject, but FMS is so dead lately so what the 
> hell.  Falafel, why do some of the folks posting to Frost hate you so 
> much?  In particular Luke771 and VolodyA.  You generally seem like a 
> nice identity so I'm just curious.
> -- 
> 
jezreel at 
pbxwgrdegrigwuteoz3tc6cfla2xu3trmi2tgr2enfrvi4bxkzlectshfvyw2wcxkrffslccijku4z2om5gtoojrpzdfcolkovtdawjuifigkrcqjbevsvrnla2xotcdpfvw6lkmkzzsyqkrifbucqkf.freemail
> 
> ;))
> 
> - VolodyA! V A at r0pa7z7JA1hAf2xtTt7AKLRe+yw - 2009.04.11 - 
12:11:26GMT -
> 
> I should point out i do not hate falafel, i do not know him. I do hate what 
he is doing to Freenet, however. If he was to stop supporting intruduction of 
censorship on Freenet i would not say anything bad about him.
> 
> In fact i tend to agree with much of what he has to say on other subjects.
> 
> -- 
> May all the sentient beings benefit from our conversation.
> 
> - Denminkan at DlKKAIKia79j4oVPbgFK4zNh25Y - 2009.04.14 - 
16:13:07GMT -
> 
> Falafel is doing nothing. If a single guy can make the protocol not work, 
then the protocol is shitty from the start and we need to write a new one.
> 
> - Anonymous - 2009.04.14 - 20:46:59GMT -
> 
> The only shit around here is spewing from the mouths of those who don't 
understand how it works.  No one can stop you from seeing what you want to 
see.  Anyone who tells you otherwise is spreading misinformation.
> 
> - Luke771 at CH4jCmDc27eeqm9Cw_WvJu+COIM - 2009.05.04 - 
01:01:46GMT -
> 
> 
> No one can really censor FMS alright, BUT there IS a problem with 
those 'censored trust lists' anyway.
> The existance of censored trust lists forces users to actively maintain 
their own trust lists, the WoT wont work 'on its own' as it would if everyone 
used it the way it's supposed to.
> 
> Let me try to explain: if everyone used wot to block flood attacks and 
nothing else, new users wouldnt need to try and find out which trust lists 
are 'good', they wouldnt need to work on thir trust lists for hours every 
day, try to spot censors or "guys who wont block pedos", they could simply 
use FMS and occasianlly set a high trust for someone they actually trust, or 
lower the trust for someone they caught spamming
> 
> But the current situation makes FMS a pain in the ass. Users have to work on 
your trust lists regularly, and new users risk (and probably do) to have some 
of the content blocked by some censor because the guy posted one message on a 
board that the censor found 'immoral'.
> 
> It may take time until the new user figures out which trust lists to use, 
and there's a very real risk that he would think that it isnt worth the 
hassle and give up on FMS completely.
> I did that, others did that, and more will.
> 
> THAT is the real problem with the Little Brothers, not their non-existent 
ability to censor content. they cant censor anything and they know it. But 
they can and do make FMS a pain in the ass to use.
> 
> Another problem is that, assuming that the fms community will survive (which 
i dontthink it will), it my end up split into a number of closed 
sub-communities that refuse to talk to each other. But this is only a guess, 
so far. We'll have to see how it turns out.
> 
> In the meantime, making FMS into a PITa has been done already, that is why 
FMS is as good as dead, and that's why I think that invesiting develpers' 
time and effort into WoT and Freetalk is a huge waste: FMS failed because of 
human stupidity and arrogance, and so will Freetalk/WoT, and I really cant 
understand why the devs cant see the obvious (or refuse to admit it)
> 
> BTW, I dont hate Falafel. Hate costs energy. A lot of it.

The devs don't care because there are no practical alternatives, and because I 
at least don't use FMS, since nobody I trust has reviewed it, and it can't be 
bundled so I won't. However, evanbd's work on positive trust is worth 
considering, see my other email.
-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: 

[freenet-dev] Why WoTs won't work....

[Matthew Toseland]

On Friday 22 May 2009 08:17:55 bbackde at googlemail.com wrote:
> Is'nt his point that the users just won't maintain the trust lists?
> I thought that is the problem that he meant how can Advogato help us 
here?

Advogato with only positive trust introduces a different tradeoff, which is 
still a major PITA to maintain, but maybe less of one:
- Spammers only disappear when YOU mark them as spammers, or ALL the people 
you trust do. Right now they disappear when the majority, from the point of 
view of your position on the WoT, mark them as spammers (more or less).
- If you mark a spammer as positive because he posts useful content on one 
board, and you don't read the boards he spams you are likely to get marked as 
a spammer yourself.
- If a spammer doesn't spam himself, but gains trust through posting useful 
content on various boards and then spends this trust by trusting spam 
identities, it will be necessary to give him zero message list trust. Again 
this has serious issues with collateral damage, depending on how 
trigger-happy people are and how much of a problem it is for newbies to see 
spam.

Technologically, this requires:
- Changing WoT to only support positive trust. This is more or less a one line 
change.
- Making sure that my local ratings always override those given by others, so 
I can mark an identity as spam and never see it again. Dunno if this is 
currently implemented.
- Making CAPTCHA announcement provide some form of short-lived trust, so if 
the newly introduced identity doesn't get some trust it goes away. This may 
also be implemented.
- Limits on identity churn in any trust list (1 new identity per day averaged 
over a week or something), to ensure that an attacker who has trust cannot 
constantly add new identities.

It probably also requires:
- Some indication of which trusted identities trust a spammer when you mark an 
identity as a spammer.
- Sending an ultimatum to the trusted identity that trusts more than one 
spammer: stop trusting spammers or we'll stop trusting you. This would have 
to be answered in a reasonable time, hence is a problem for those not 
constantly at their nodes.

evanbd has argued that the latter two measures are unnecessary, and that the 
limited number of spam identities that any one identity can introduce will 
make the problem manageable. An attacker who just introduces via a CAPTCHA 
will presumably only get short-lived trust, and if he only posts spam he 
won't get any positive trust. An attacker who contributes to boards to gain 
trust to create spamming sub-identities with has to do manual work to gain 
and maintain reputation among some sub-community. A newbie will not see old 
captcha-based spammers, only new ones, and those spam identities that the 
attacker's main, positive identity links to. He will have to manually block 
each such identity, because somebody is bound to have positive trust for the 
spammer parent identity.

In terms of UI, if evanbd is right, all we need is a button to mark the poster 
of a message as a spammer (and get rid of all messages from them), and a 
small amount of automatic trust when answering a message (part of the UI so 
it can be disabled). Only those users who know how, and care enough, would 
actually change the trust for the spammer-parent, and in any case doing so 
would only affect them and contribute nothing to the community.

But if he is wrong, or if an attacker is sufficiently determined, we will also 
need some way to detect spam-parents, and send them ultimatums.
> 
> On Fri, May 22, 2009 at 05:51, Evan Daniel  wrote:
> > It's not all that interesting. ?It has been discussed to death many
> > times. ?The Advogato algorithm (or something like it) solves this
> > problem (not perfectly, but far, far better than the current FMS / WoT
> > alchemy), as I have explained in great detail.
> >
> > Evan Daniel
> >
> > On Sat, May 9, 2009 at 12:57 PM, ? wrote:
> >> Interesting discussion from Frost, especially the last post at the 
bottom. Its about WoTs in general and why they won't work.
> >>
> >>
> >>
> >> - Hahahahah at YLE3ZHs5LkiwE3FdJyQlcF5+RkA - 2009.04.05 - 
02:28:11GMT -
> >>
> >> I had to forward this one here.
> >>
> >> --- jezreel?X~GLTTHo9aaYtIpGT6OOyBMMFwl3b8LwFu6TUw9Q82E sent via FMS 
on 2009-04-05 at 01:31:54GMT ---
> >>
> >> Probably not an amazing subject, but FMS is so dead lately so what the
> >> hell. ?Falafel, why do some of the folks posting to Frost hate you so
> >> much? ?In particular Luke771 and VolodyA. ?You generally seem like a
> >> nice identity so I'm just curious.
> >> --
> >> 
jezreel at 
pbxwgrdegrigwuteoz3tc6cfla2xu3trmi2tgr2enfrvi4bxkzlectshfvyw2wcxkrffslccijku4z2om5gtoojrpzdfcolkovtdawjuifigkrcqjbevsvrnla2xotcdpfvw6lkmkzzsyqkrifbucqkf.freemail
> >>
> >> ;))
> >>
> >> - VolodyA! V A at r0pa7z7JA1hAf2xtTt7AKLRe+yw - 2009.04.11 - 
12:11:26GMT -
> >>
> >> I should point out i do not hate falafel, i do not know him. I do hate 
what he 

[freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Fri, May 22, 2009 at 10:48 AM, Thomas Sachau  wrote:
> Matthew Toseland schrieb:
>> On Friday 22 May 2009 08:17:55 bbackde at googlemail.com wrote:
>>> Is'nt his point that the users just won't maintain the trust lists?
>>> I thought that is the problem that he meant how can Advogato help us
>>> here?
>>
>> Advogato with only positive trust introduces a different tradeoff, which is
>> still a major PITA to maintain, but maybe less of one:
>> - Spammers only disappear when YOU mark them as spammers, or ALL the people
>> you trust do. Right now they disappear when the majority, from the point of
>> view of your position on the WoT, mark them as spammers (more or less).
>
> So this is a disadvantage of avogato against current FMS implementation. With 
> the current FMS
> implementation, only a majority of trusted identities need to mark him down, 
> with avogato, either
> all original trusters need to mark him down or you need to do it yourself 
> (either mark him down or
> everyone, who trusts him, so
> FMS 1:0 avogato

As I've said repeatedly, I believe there is a fundamental tradeoff
between spam resistance and censorship resistance, in the limiting
case.  (It's obviously possible to have an algorithm that does poorly
at both.)  Advogato *might* let more spam through than FMS.  There is
no proof provided for how much spam FMS lets through; with Advogato it
is limited in a provable manner.  Alchemy is a bad thing.  FMS
definitely makes censorship by the mob easier.  By my count, that's a
win for Advogato on both.

>
>> - If you mark a spammer as positive because he posts useful content on one
>> board, and you don't read the boards he spams you are likely to get marked as
>> a spammer yourself.
>
> If this is true for avogato, it is again a disadvantage. You should not be 
> responsible for something
> you dont see and did. In FMS, this would result in a reduced Trustlist Trust, 
> which just means that
> you are not trusted to introduce new identities, no spammer mark or similar, 
> so
> FMS 2:0 avogato

The Advogato algorithm extends (while maintaining the proof validity)
to separate message and trust list trusts just fine.  I'm inclined to
think making the distinction is a good idea, for exactly this case.
Once the distinction is present, the two should behave fairly
similarly.

>
>> - If a spammer doesn't spam himself, but gains trust through posting useful
>> content on various boards and then spends this trust by trusting spam
>> identities, it will be necessary to give him zero message list trust. Again
>> this has serious issues with collateral damage, depending on how
>> trigger-happy people are and how much of a problem it is for newbies to see
>> spam.
>
> Again, disadvantage for avogato, if that is true, but basicly the same as 
> above: This is solved via
> reduced Trustlist Trust, not reducing message trust in FMS.
>
>> Technologically, this requires:
>> - Making sure that my local ratings always override those given by others, so
>> I can mark an identity as spam and never see it again. Dunno if this is
>> currently implemented.
>
> This is possible with FMS (optional, either your vote is part of the final 
> trust calculation or it
> overrides the overall trust result).

Having that option sounds like a good idea, regardless of the
underlying algorithm.

>
>> - Making CAPTCHA announcement provide some form of short-lived trust, so if
>> the newly introduced identity doesn't get some trust it goes away. This may
>> also be implemented.
>
> This would require adding trust to new people, As you can see with FMS, 
> having everyone spending
> dayly time on trustlist adjustments is just an idea, which wont come true. So 
> this would mean that
> every identity that is not very active will loose any trust and would have to 
> introduce himself
> again. More pain and work resulting in less users.

See my proposal (other mail in this thread, also discussed
previously).  Short-range but long-lived trust is a better substitute,
imho.

>
>> - Limits on identity churn in any trust list (1 new identity per day averaged
>> over a week or something), to ensure that an attacker who has trust cannot
>> constantly add new identities.
>
> Only the number of identities added because of solved captchas should be 
> limited and the limit
> number is the number of announced captchas, which should be more than around 
> 1/day. For added
> identities from others, you will always do some basic review, maybe with some 
> advanced option to
> remove all identities introduced by a specific identity.

No, that is not sufficient.  The attack that makes it necessary (which
is also possible on FMS, btw -- in fact it's even more effective) is
fairly simple.  A spammer gets a dummy identity trusted manually by
other people.  He then has it mark several other identities as
trustworthy.  Those identities then spam as much as is worthwhile
(limited only by message count limits, basically).  The spammer then
removes them 

[freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Fri, May 22, 2009 at 8:17 AM, Matthew Toseland
 wrote:
> On Friday 22 May 2009 08:17:55 bbackde at googlemail.com wrote:
>> Is'nt his point that the users just won't maintain the trust lists?
>> I thought that is the problem that he meant how can Advogato help us
> here?
>
> Advogato with only positive trust introduces a different tradeoff, which is
> still a major PITA to maintain, but maybe less of one:
> - Spammers only disappear when YOU mark them as spammers, or ALL the people
> you trust do. Right now they disappear when the majority, from the point of
> view of your position on the WoT, mark them as spammers (more or less).

When they *fail to mark them as trusted*.  It's an important
distinction, as it means that in order for the spammer to do anything
they first have to *manually* build trust.  If an identity suddenly
starts spamming, only people that originally marked it as trusted have
to change their trust lists in order to stop them.

> - If you mark a spammer as positive because he posts useful content on one
> board, and you don't read the boards he spams you are likely to get marked as
> a spammer yourself.

Depends how militant people are.  I suspect in practice people won't
do this unless you trust a lot of spammers... in which case they have
a point.  (This is also a case for distinguishing message trust from
trust list trust; while Advogato doesn't do this, the security proof
extends to cover it without trouble.)  You can take an in-between
step: if Alice marks both Bob and Carol as trusted, and Bob marks
Carol a spammer, Alice's software notices and alerts Alice, and offers
to show Alice recent messages from Carol from other boards.
(Algorithmically, publishing "Sam is a spammer" is no different from
not publishing anything about Sam, but it makes some nice things
possible from a UI standpoint.)  This may well get most of the benefit
of ultimatums with lower complexity.

> - If a spammer doesn't spam himself, but gains trust through posting useful
> content on various boards and then spends this trust by trusting spam
> identities, it will be necessary to give him zero message list trust. Again
> this has serious issues with collateral damage, depending on how
> trigger-happy people are and how much of a problem it is for newbies to see
> spam.
>
> Technologically, this requires:
> - Changing WoT to only support positive trust. This is more or less a one line
> change.

If all you want is positive trust only, yes.  If you want the security
proof, it requires using the network flow algorithm as specified in
the paper, which is a bit more complex.  IMHO, fussing with the
algorithm in ways that don't let you apply the security proof is just
trading one set of alchemy for another -- it might help, but I don't
think it would be wise.

> - Making sure that my local ratings always override those given by others, so
> I can mark an identity as spam and never see it again. Dunno if this is
> currently implemented.
> - Making CAPTCHA announcement provide some form of short-lived trust, so if
> the newly introduced identity doesn't get some trust it goes away. This may
> also be implemented.

My proposal: there are two levels of trust (implementation starts
exactly as per Advogato levels).  The lower level is CAPTCHA trust;
the higher is manually set only.  (This extends to multiple manual
levels without loss of generality.)  First, the algorithm is run
normally on the manual trust level.  Then, the algorithm is re-run on
the CAPTCHA trust level, with modification: identities that received
no manual trust have severely limited capacity (perhaps as low as 1),
and the general set of capacity vs distance from root is changed to
not go as deep.

The first part means that the spammer can't chain identities *at all*
before getting the top one manually trusted.  The second means that
identities that only solved a CAPTCHA will only be seen by a small
number of people -- ie they can't spam everyone.  The exact numbers
for flow vs depth would need some tuning for both trust levels,
obviously.  You want enough people to see new identities that they
will receive manual trust.

> - Limits on identity churn in any trust list (1 new identity per day averaged
> over a week or something), to ensure that an attacker who has trust cannot
> constantly add new identities.

This is clearly required (to prevent a spammer multiplying a limited
trust to introduce many throw-away identities, each of which spams up
to the message count limits).  However, it does present a new problem:
because trust capacities are limited, it provides a far more effective
DOS of the CAPTCHA queue than simply answering all CAPTCHAs.  I'm not
sure how to handle that.  A DOS that prevents new users from joining
is particularly vicious.

>
> It probably also requires:
> - Some indication of which trusted identities trust a spammer when you mark an
> identity as a spammer.
> - Sending an ultimatum to the trusted identity that trusts more 

[freenet-dev] Why WoTs won't work....

[bbac...@googlemail.com]

Is'nt his point that the users just won't maintain the trust lists?
I thought that is the problem that he meant how can Advogato help us here?

On Fri, May 22, 2009 at 05:51, Evan Daniel  wrote:
> It's not all that interesting. ?It has been discussed to death many
> times. ?The Advogato algorithm (or something like it) solves this
> problem (not perfectly, but far, far better than the current FMS / WoT
> alchemy), as I have explained in great detail.
>
> Evan Daniel
>
> On Sat, May 9, 2009 at 12:57 PM, ? wrote:
>> Interesting discussion from Frost, especially the last post at the bottom. 
>> Its about WoTs in general and why they won't work.
>>
>>
>>
>> - Hahahahah at YLE3ZHs5LkiwE3FdJyQlcF5+RkA - 2009.04.05 - 
>> 02:28:11GMT -
>>
>> I had to forward this one here.
>>
>> --- jezreel?X~GLTTHo9aaYtIpGT6OOyBMMFwl3b8LwFu6TUw9Q82E sent via FMS on 
>> 2009-04-05 at 01:31:54GMT ---
>>
>> Probably not an amazing subject, but FMS is so dead lately so what the
>> hell. ?Falafel, why do some of the folks posting to Frost hate you so
>> much? ?In particular Luke771 and VolodyA. ?You generally seem like a
>> nice identity so I'm just curious.
>> --
>> jezreel at 
>> pbxwgrdegrigwuteoz3tc6cfla2xu3trmi2tgr2enfrvi4bxkzlectshfvyw2wcxkrffslccijku4z2om5gtoojrpzdfcolkovtdawjuifigkrcqjbevsvrnla2xotcdpfvw6lkmkzzsyqkrifbucqkf.freemail
>>
>> ;))
>>
>> - VolodyA! V A at r0pa7z7JA1hAf2xtTt7AKLRe+yw - 2009.04.11 - 
>> 12:11:26GMT -
>>
>> I should point out i do not hate falafel, i do not know him. I do hate what 
>> he is doing to Freenet, however. If he was to stop supporting intruduction 
>> of censorship on Freenet i would not say anything bad about him.
>>
>> In fact i tend to agree with much of what he has to say on other subjects.
>>
>> --
>> May all the sentient beings benefit from our conversation.
>>
>> - Denminkan at DlKKAIKia79j4oVPbgFK4zNh25Y - 2009.04.14 - 
>> 16:13:07GMT -
>>
>> Falafel is doing nothing. If a single guy can make the protocol not work, 
>> then the protocol is shitty from the start and we need to write a new one.
>>
>> - Anonymous - 2009.04.14 - 20:46:59GMT -
>>
>> The only shit around here is spewing from the mouths of those who don't 
>> understand how it works. ?No one can stop you from seeing what you want to 
>> see. ?Anyone who tells you otherwise is spreading misinformation.
>>
>> - Luke771 at CH4jCmDc27eeqm9Cw_WvJu+COIM - 2009.05.04 - 01:01:46GMT 
>> -
>>
>>
>> No one can really censor FMS alright, BUT there IS a problem with those 
>> 'censored trust lists' anyway.
>> The existance of censored trust lists forces users to actively maintain 
>> their own trust lists, the WoT wont work 'on its own' as it would if 
>> everyone used it the way it's supposed to.
>>
>> Let me try to explain: if everyone used wot to block flood attacks and 
>> nothing else, new users wouldnt need to try and find out which trust lists 
>> are 'good', they wouldnt need to work on thir trust lists for hours every 
>> day, try to spot censors or "guys who wont block pedos", they could simply 
>> use FMS and occasianlly set a high trust for someone they actually trust, or 
>> lower the trust for someone they caught spamming
>>
>> But the current situation makes FMS a pain in the ass. Users have to work on 
>> your trust lists regularly, and new users risk (and probably do) to have 
>> some of the content blocked by some censor because the guy posted one 
>> message on a board that the censor found 'immoral'.
>>
>> It may take time until the new user figures out which trust lists to use, 
>> and there's a very real risk that he would think that it isnt worth the 
>> hassle and give up on FMS completely.
>> I did that, others did that, and more will.
>>
>> THAT is the real problem with the Little Brothers, not their non-existent 
>> ability to censor content. they cant censor anything and they know it. But 
>> they can and do make FMS a pain in the ass to use.
>>
>> Another problem is that, assuming that the fms community will survive (which 
>> i dontthink it will), it my end up split into a number of closed 
>> sub-communities that refuse to talk to each other. But this is only a guess, 
>> so far. We'll have to see how it turns out.
>>
>> In the meantime, making FMS into a PITa has been done already, that is why 
>> FMS is as good as dead, and that's why I think that invesiting develpers' 
>> time and effort into WoT and Freetalk is a huge waste: FMS failed because of 
>> human stupidity and arrogance, and so will Freetalk/WoT, and I really cant 
>> understand why the devs cant see the obvious (or refuse to admit it)
>>
>> BTW, I dont hate Falafel. Hate costs energy. A lot of it.
>> --
>> FAFS - the Freenet Applications FreeSite
>> USK at 
>> ugb~uuscsidMI-Ze8laZe~o3BUIb3S50i25RIwDH99M,9T20t3xoG-dQfMO94LGOl9AxRTkaz~TykFY-voqaTQI,AQACAAE/FAFS/47/
>>
>> -Don't think out of the box: destroy it!-
>> ___
>> Devl 

[freenet-dev] Why WoTs won't work....

[Daniel Cheng]

On Sun, May 10, 2009 at 12:57 AM,   wrote:
> Interesting discussion from Frost, especially the last post at the bottom. 
> Its about WoTs in general and why they won't work.
>

There are no (new) interesting bits.
The pain is well known among developers, repeating/explaining won't change it.

If you want to have an alternative, do it with a *FULL PROPOSAL*
(with the all advantage / disadvantage listed; impact on the network;
etc...), not just
"Hey! Why not do this " ...  This is wasting everybody's energy.

[freenet-dev] Why WoTs won't work....

[Evan Daniel]

It's not all that interesting.  It has been discussed to death many
times.  The Advogato algorithm (or something like it) solves this
problem (not perfectly, but far, far better than the current FMS / WoT
alchemy), as I have explained in great detail.

Evan Daniel

On Sat, May 9, 2009 at 12:57 PM,   wrote:
> Interesting discussion from Frost, especially the last post at the bottom. 
> Its about WoTs in general and why they won't work.
>
>
>
> - Hahahahah at YLE3ZHs5LkiwE3FdJyQlcF5+RkA - 2009.04.05 - 02:28:11GMT 
> -
>
> I had to forward this one here.
>
> --- jezreel?X~GLTTHo9aaYtIpGT6OOyBMMFwl3b8LwFu6TUw9Q82E sent via FMS on 
> 2009-04-05 at 01:31:54GMT ---
>
> Probably not an amazing subject, but FMS is so dead lately so what the
> hell. ?Falafel, why do some of the folks posting to Frost hate you so
> much? ?In particular Luke771 and VolodyA. ?You generally seem like a
> nice identity so I'm just curious.
> --
> jezreel at 
> pbxwgrdegrigwuteoz3tc6cfla2xu3trmi2tgr2enfrvi4bxkzlectshfvyw2wcxkrffslccijku4z2om5gtoojrpzdfcolkovtdawjuifigkrcqjbevsvrnla2xotcdpfvw6lkmkzzsyqkrifbucqkf.freemail
>
> ;))
>
> - VolodyA! V A at r0pa7z7JA1hAf2xtTt7AKLRe+yw - 2009.04.11 - 
> 12:11:26GMT -
>
> I should point out i do not hate falafel, i do not know him. I do hate what 
> he is doing to Freenet, however. If he was to stop supporting intruduction of 
> censorship on Freenet i would not say anything bad about him.
>
> In fact i tend to agree with much of what he has to say on other subjects.
>
> --
> May all the sentient beings benefit from our conversation.
>
> - Denminkan at DlKKAIKia79j4oVPbgFK4zNh25Y - 2009.04.14 - 16:13:07GMT 
> -
>
> Falafel is doing nothing. If a single guy can make the protocol not work, 
> then the protocol is shitty from the start and we need to write a new one.
>
> - Anonymous - 2009.04.14 - 20:46:59GMT -
>
> The only shit around here is spewing from the mouths of those who don't 
> understand how it works. ?No one can stop you from seeing what you want to 
> see. ?Anyone who tells you otherwise is spreading misinformation.
>
> - Luke771 at CH4jCmDc27eeqm9Cw_WvJu+COIM - 2009.05.04 - 01:01:46GMT 
> -
>
>
> No one can really censor FMS alright, BUT there IS a problem with those 
> 'censored trust lists' anyway.
> The existance of censored trust lists forces users to actively maintain their 
> own trust lists, the WoT wont work 'on its own' as it would if everyone used 
> it the way it's supposed to.
>
> Let me try to explain: if everyone used wot to block flood attacks and 
> nothing else, new users wouldnt need to try and find out which trust lists 
> are 'good', they wouldnt need to work on thir trust lists for hours every 
> day, try to spot censors or "guys who wont block pedos", they could simply 
> use FMS and occasianlly set a high trust for someone they actually trust, or 
> lower the trust for someone they caught spamming
>
> But the current situation makes FMS a pain in the ass. Users have to work on 
> your trust lists regularly, and new users risk (and probably do) to have some 
> of the content blocked by some censor because the guy posted one message on a 
> board that the censor found 'immoral'.
>
> It may take time until the new user figures out which trust lists to use, and 
> there's a very real risk that he would think that it isnt worth the hassle 
> and give up on FMS completely.
> I did that, others did that, and more will.
>
> THAT is the real problem with the Little Brothers, not their non-existent 
> ability to censor content. they cant censor anything and they know it. But 
> they can and do make FMS a pain in the ass to use.
>
> Another problem is that, assuming that the fms community will survive (which 
> i dontthink it will), it my end up split into a number of closed 
> sub-communities that refuse to talk to each other. But this is only a guess, 
> so far. We'll have to see how it turns out.
>
> In the meantime, making FMS into a PITa has been done already, that is why 
> FMS is as good as dead, and that's why I think that invesiting develpers' 
> time and effort into WoT and Freetalk is a huge waste: FMS failed because of 
> human stupidity and arrogance, and so will Freetalk/WoT, and I really cant 
> understand why the devs cant see the obvious (or refuse to admit it)
>
> BTW, I dont hate Falafel. Hate costs energy. A lot of it.
> --
> FAFS - the Freenet Applications FreeSite
> USK at 
> ugb~uuscsidMI-Ze8laZe~o3BUIb3S50i25RIwDH99M,9T20t3xoG-dQfMO94LGOl9AxRTkaz~TykFY-voqaTQI,AQACAAE/FAFS/47/
>
> -Don't think out of the box: destroy it!-
> ___
> Devl mailing list
> Devl at freenetproject.org
> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Why WoTs won't work....

[bbackde]

Is'nt his point that the users just won't maintain the trust lists?
I thought that is the problem that he meant how can Advogato help us here?

On Fri, May 22, 2009 at 05:51, Evan Daniel eva...@gmail.com wrote:
 It's not all that interesting.  It has been discussed to death many
 times.  The Advogato algorithm (or something like it) solves this
 problem (not perfectly, but far, far better than the current FMS / WoT
 alchemy), as I have explained in great detail.

 Evan Daniel

 On Sat, May 9, 2009 at 12:57 PM,  gu...@gmx.org wrote:
 Interesting discussion from Frost, especially the last post at the bottom. 
 Its about WoTs in general and why they won't work.



 - hahaha...@yle3zhs5lkiwe3fdjyqlcf5+rka - 2009.04.05 - 02:28:11GMT 
 -

 I had to forward this one here.

 --- jezreel℺X~GLTTHo9aaYtIpGT6OOyBMMFwl3b8LwFu6TUw9Q82E sent via FMS on 
 2009-04-05 at 01:31:54GMT ---

 Probably not an amazing subject, but FMS is so dead lately so what the
 hell.  Falafel, why do some of the folks posting to Frost hate you so
 much?  In particular Luke771 and VolodyA.  You generally seem like a
 nice identity so I'm just curious.
 --
 jezr...@pbxwgrdegrigwuteoz3tc6cfla2xu3trmi2tgr2enfrvi4bxkzlectshfvyw2wcxkrffslccijku4z2om5gtoojrpzdfcolkovtdawjuifigkrcqjbevsvrnla2xotcdpfvw6lkmkzzsyqkrifbucqkf.freemail

 ;))

 - VolodyA! V a...@r0pa7z7ja1haf2xttt7aklre+yw - 2009.04.11 - 
 12:11:26GMT -

 I should point out i do not hate falafel, i do not know him. I do hate what 
 he is doing to Freenet, however. If he was to stop supporting intruduction 
 of censorship on Freenet i would not say anything bad about him.

 In fact i tend to agree with much of what he has to say on other subjects.

 --
 May all the sentient beings benefit from our conversation.

 - denmin...@dlkkaikia79j4ovpbgfk4znh25y - 2009.04.14 - 16:13:07GMT 
 -

 Falafel is doing nothing. If a single guy can make the protocol not work, 
 then the protocol is shitty from the start and we need to write a new one.

 - Anonymous - 2009.04.14 - 20:46:59GMT -

 The only shit around here is spewing from the mouths of those who don't 
 understand how it works.  No one can stop you from seeing what you want to 
 see.  Anyone who tells you otherwise is spreading misinformation.

 - luke...@ch4jcmdc27eeqm9cw_wvju+coim - 2009.05.04 - 01:01:46GMT 
 -


 No one can really censor FMS alright, BUT there IS a problem with those 
 'censored trust lists' anyway.
 The existance of censored trust lists forces users to actively maintain 
 their own trust lists, the WoT wont work 'on its own' as it would if 
 everyone used it the way it's supposed to.

 Let me try to explain: if everyone used wot to block flood attacks and 
 nothing else, new users wouldnt need to try and find out which trust lists 
 are 'good', they wouldnt need to work on thir trust lists for hours every 
 day, try to spot censors or guys who wont block pedos, they could simply 
 use FMS and occasianlly set a high trust for someone they actually trust, or 
 lower the trust for someone they caught spamming

 But the current situation makes FMS a pain in the ass. Users have to work on 
 your trust lists regularly, and new users risk (and probably do) to have 
 some of the content blocked by some censor because the guy posted one 
 message on a board that the censor found 'immoral'.

 It may take time until the new user figures out which trust lists to use, 
 and there's a very real risk that he would think that it isnt worth the 
 hassle and give up on FMS completely.
 I did that, others did that, and more will.

 THAT is the real problem with the Little Brothers, not their non-existent 
 ability to censor content. they cant censor anything and they know it. But 
 they can and do make FMS a pain in the ass to use.

 Another problem is that, assuming that the fms community will survive (which 
 i dontthink it will), it my end up split into a number of closed 
 sub-communities that refuse to talk to each other. But this is only a guess, 
 so far. We'll have to see how it turns out.

 In the meantime, making FMS into a PITa has been done already, that is why 
 FMS is as good as dead, and that's why I think that invesiting develpers' 
 time and effort into WoT and Freetalk is a huge waste: FMS failed because of 
 human stupidity and arrogance, and so will Freetalk/WoT, and I really cant 
 understand why the devs cant see the obvious (or refuse to admit it)

 BTW, I dont hate Falafel. Hate costs energy. A lot of it.
 --
 FAFS - the Freenet Applications FreeSite
 u...@ugb~uuscsidmi-ze8laze~o3buib3s50i25riwdh99m,9T20t3xoG-dQfMO94LGOl9AxRTkaz~TykFY-voqaTQI,AQACAAE/FAFS/47/

 -Don't think out of the box: destroy it!-
 ___
 Devl mailing list
 Devl@freenetproject.org
 http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
 ___
 Devl mailing list
 Devl@freenetproject.org
 

Re: [freenet-dev] Why WoTs won't work....

[Matthew Toseland]

On Friday 22 May 2009 08:17:55 bbac...@googlemail.com wrote:
 Is'nt his point that the users just won't maintain the trust lists?
 I thought that is the problem that he meant how can Advogato help us 
here?

Advogato with only positive trust introduces a different tradeoff, which is 
still a major PITA to maintain, but maybe less of one:
- Spammers only disappear when YOU mark them as spammers, or ALL the people 
you trust do. Right now they disappear when the majority, from the point of 
view of your position on the WoT, mark them as spammers (more or less).
- If you mark a spammer as positive because he posts useful content on one 
board, and you don't read the boards he spams you are likely to get marked as 
a spammer yourself.
- If a spammer doesn't spam himself, but gains trust through posting useful 
content on various boards and then spends this trust by trusting spam 
identities, it will be necessary to give him zero message list trust. Again 
this has serious issues with collateral damage, depending on how 
trigger-happy people are and how much of a problem it is for newbies to see 
spam.

Technologically, this requires:
- Changing WoT to only support positive trust. This is more or less a one line 
change.
- Making sure that my local ratings always override those given by others, so 
I can mark an identity as spam and never see it again. Dunno if this is 
currently implemented.
- Making CAPTCHA announcement provide some form of short-lived trust, so if 
the newly introduced identity doesn't get some trust it goes away. This may 
also be implemented.
- Limits on identity churn in any trust list (1 new identity per day averaged 
over a week or something), to ensure that an attacker who has trust cannot 
constantly add new identities.

It probably also requires:
- Some indication of which trusted identities trust a spammer when you mark an 
identity as a spammer.
- Sending an ultimatum to the trusted identity that trusts more than one 
spammer: stop trusting spammers or we'll stop trusting you. This would have 
to be answered in a reasonable time, hence is a problem for those not 
constantly at their nodes.

evanbd has argued that the latter two measures are unnecessary, and that the 
limited number of spam identities that any one identity can introduce will 
make the problem manageable. An attacker who just introduces via a CAPTCHA 
will presumably only get short-lived trust, and if he only posts spam he 
won't get any positive trust. An attacker who contributes to boards to gain 
trust to create spamming sub-identities with has to do manual work to gain 
and maintain reputation among some sub-community. A newbie will not see old 
captcha-based spammers, only new ones, and those spam identities that the 
attacker's main, positive identity links to. He will have to manually block 
each such identity, because somebody is bound to have positive trust for the 
spammer parent identity.

In terms of UI, if evanbd is right, all we need is a button to mark the poster 
of a message as a spammer (and get rid of all messages from them), and a 
small amount of automatic trust when answering a message (part of the UI so 
it can be disabled). Only those users who know how, and care enough, would 
actually change the trust for the spammer-parent, and in any case doing so 
would only affect them and contribute nothing to the community.

But if he is wrong, or if an attacker is sufficiently determined, we will also 
need some way to detect spam-parents, and send them ultimatums.
 
 On Fri, May 22, 2009 at 05:51, Evan Daniel eva...@gmail.com wrote:
  It's not all that interesting.  It has been discussed to death many
  times.  The Advogato algorithm (or something like it) solves this
  problem (not perfectly, but far, far better than the current FMS / WoT
  alchemy), as I have explained in great detail.
 
  Evan Daniel
 
  On Sat, May 9, 2009 at 12:57 PM,  gu...@gmx.org wrote:
  Interesting discussion from Frost, especially the last post at the 
bottom. Its about WoTs in general and why they won't work.
 
 
 
  - hahaha...@yle3zhs5lkiwe3fdjyqlcf5+rka - 2009.04.05 - 
02:28:11GMT -
 
  I had to forward this one here.
 
  --- jezreel℺X~GLTTHo9aaYtIpGT6OOyBMMFwl3b8LwFu6TUw9Q82E sent via FMS 
on 2009-04-05 at 01:31:54GMT ---
 
  Probably not an amazing subject, but FMS is so dead lately so what the
  hell.  Falafel, why do some of the folks posting to Frost hate you so
  much?  In particular Luke771 and VolodyA.  You generally seem like a
  nice identity so I'm just curious.
  --
  
jezr...@pbxwgrdegrigwuteoz3tc6cfla2xu3trmi2tgr2enfrvi4bxkzlectshfvyw2wcxkrffslccijku4z2om5gtoojrpzdfcolkovtdawjuifigkrcqjbevsvrnla2xotcdpfvw6lkmkzzsyqkrifbucqkf.freemail
 
  ;))
 
  - VolodyA! V a...@r0pa7z7ja1haf2xttt7aklre+yw - 2009.04.11 - 
12:11:26GMT -
 
  I should point out i do not hate falafel, i do not know him. I do hate 
what he is doing to Freenet, however. If he was to stop supporting 

Re: [freenet-dev] Why WoTs won't work....

[Matthew Toseland]

On Saturday 09 May 2009 17:57:41 gu...@gmx.org wrote:
 Interesting discussion from Frost, especially the last post at the bottom. 
Its about WoTs in general and why they won't work.
 
 
 
 - hahaha...@yle3zhs5lkiwe3fdjyqlcf5+rka - 2009.04.05 - 
02:28:11GMT -
 
 I had to forward this one here.
 
 --- jezreel℺X~GLTTHo9aaYtIpGT6OOyBMMFwl3b8LwFu6TUw9Q82E sent via FMS on 
2009-04-05 at 01:31:54GMT ---
 
 Probably not an amazing subject, but FMS is so dead lately so what the 
 hell.  Falafel, why do some of the folks posting to Frost hate you so 
 much?  In particular Luke771 and VolodyA.  You generally seem like a 
 nice identity so I'm just curious.
 -- 
 
jezr...@pbxwgrdegrigwuteoz3tc6cfla2xu3trmi2tgr2enfrvi4bxkzlectshfvyw2wcxkrffslccijku4z2om5gtoojrpzdfcolkovtdawjuifigkrcqjbevsvrnla2xotcdpfvw6lkmkzzsyqkrifbucqkf.freemail
 
 ;))
 
 - VolodyA! V a...@r0pa7z7ja1haf2xttt7aklre+yw - 2009.04.11 - 
12:11:26GMT -
 
 I should point out i do not hate falafel, i do not know him. I do hate what 
he is doing to Freenet, however. If he was to stop supporting intruduction of 
censorship on Freenet i would not say anything bad about him.
 
 In fact i tend to agree with much of what he has to say on other subjects.
 
 -- 
 May all the sentient beings benefit from our conversation.
 
 - denmin...@dlkkaikia79j4ovpbgfk4znh25y - 2009.04.14 - 
16:13:07GMT -
 
 Falafel is doing nothing. If a single guy can make the protocol not work, 
then the protocol is shitty from the start and we need to write a new one.
 
 - Anonymous - 2009.04.14 - 20:46:59GMT -
 
 The only shit around here is spewing from the mouths of those who don't 
understand how it works.  No one can stop you from seeing what you want to 
see.  Anyone who tells you otherwise is spreading misinformation.
 
 - luke...@ch4jcmdc27eeqm9cw_wvju+coim - 2009.05.04 - 
01:01:46GMT -
 
 
 No one can really censor FMS alright, BUT there IS a problem with 
those 'censored trust lists' anyway.
 The existance of censored trust lists forces users to actively maintain 
their own trust lists, the WoT wont work 'on its own' as it would if everyone 
used it the way it's supposed to.
 
 Let me try to explain: if everyone used wot to block flood attacks and 
nothing else, new users wouldnt need to try and find out which trust lists 
are 'good', they wouldnt need to work on thir trust lists for hours every 
day, try to spot censors or guys who wont block pedos, they could simply 
use FMS and occasianlly set a high trust for someone they actually trust, or 
lower the trust for someone they caught spamming
 
 But the current situation makes FMS a pain in the ass. Users have to work on 
your trust lists regularly, and new users risk (and probably do) to have some 
of the content blocked by some censor because the guy posted one message on a 
board that the censor found 'immoral'.
 
 It may take time until the new user figures out which trust lists to use, 
and there's a very real risk that he would think that it isnt worth the 
hassle and give up on FMS completely.
 I did that, others did that, and more will.
 
 THAT is the real problem with the Little Brothers, not their non-existent 
ability to censor content. they cant censor anything and they know it. But 
they can and do make FMS a pain in the ass to use.
 
 Another problem is that, assuming that the fms community will survive (which 
i dontthink it will), it my end up split into a number of closed 
sub-communities that refuse to talk to each other. But this is only a guess, 
so far. We'll have to see how it turns out.
 
 In the meantime, making FMS into a PITa has been done already, that is why 
FMS is as good as dead, and that's why I think that invesiting develpers' 
time and effort into WoT and Freetalk is a huge waste: FMS failed because of 
human stupidity and arrogance, and so will Freetalk/WoT, and I really cant 
understand why the devs cant see the obvious (or refuse to admit it)
 
 BTW, I dont hate Falafel. Hate costs energy. A lot of it.
 
The devs don't care because there are no practical alternatives, and because I 
at least don't use FMS, since nobody I trust has reviewed it, and it can't be 
bundled so I won't. However, evanbd's work on positive trust is worth 
considering, see my other email.


signature.asc
Description: This is a digitally signed message part.
___
Devl mailing list
Devl@freenetproject.org
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Fri, May 22, 2009 at 8:17 AM, Matthew Toseland
t...@amphibian.dyndns.org wrote:
 On Friday 22 May 2009 08:17:55 bbac...@googlemail.com wrote:
 Is'nt his point that the users just won't maintain the trust lists?
 I thought that is the problem that he meant how can Advogato help us
 here?

 Advogato with only positive trust introduces a different tradeoff, which is
 still a major PITA to maintain, but maybe less of one:
 - Spammers only disappear when YOU mark them as spammers, or ALL the people
 you trust do. Right now they disappear when the majority, from the point of
 view of your position on the WoT, mark them as spammers (more or less).

When they *fail to mark them as trusted*.  It's an important
distinction, as it means that in order for the spammer to do anything
they first have to *manually* build trust.  If an identity suddenly
starts spamming, only people that originally marked it as trusted have
to change their trust lists in order to stop them.

 - If you mark a spammer as positive because he posts useful content on one
 board, and you don't read the boards he spams you are likely to get marked as
 a spammer yourself.

Depends how militant people are.  I suspect in practice people won't
do this unless you trust a lot of spammers... in which case they have
a point.  (This is also a case for distinguishing message trust from
trust list trust; while Advogato doesn't do this, the security proof
extends to cover it without trouble.)  You can take an in-between
step: if Alice marks both Bob and Carol as trusted, and Bob marks
Carol a spammer, Alice's software notices and alerts Alice, and offers
to show Alice recent messages from Carol from other boards.
(Algorithmically, publishing Sam is a spammer is no different from
not publishing anything about Sam, but it makes some nice things
possible from a UI standpoint.)  This may well get most of the benefit
of ultimatums with lower complexity.

 - If a spammer doesn't spam himself, but gains trust through posting useful
 content on various boards and then spends this trust by trusting spam
 identities, it will be necessary to give him zero message list trust. Again
 this has serious issues with collateral damage, depending on how
 trigger-happy people are and how much of a problem it is for newbies to see
 spam.

 Technologically, this requires:
 - Changing WoT to only support positive trust. This is more or less a one line
 change.

If all you want is positive trust only, yes.  If you want the security
proof, it requires using the network flow algorithm as specified in
the paper, which is a bit more complex.  IMHO, fussing with the
algorithm in ways that don't let you apply the security proof is just
trading one set of alchemy for another -- it might help, but I don't
think it would be wise.

 - Making sure that my local ratings always override those given by others, so
 I can mark an identity as spam and never see it again. Dunno if this is
 currently implemented.
 - Making CAPTCHA announcement provide some form of short-lived trust, so if
 the newly introduced identity doesn't get some trust it goes away. This may
 also be implemented.

My proposal: there are two levels of trust (implementation starts
exactly as per Advogato levels).  The lower level is CAPTCHA trust;
the higher is manually set only.  (This extends to multiple manual
levels without loss of generality.)  First, the algorithm is run
normally on the manual trust level.  Then, the algorithm is re-run on
the CAPTCHA trust level, with modification: identities that received
no manual trust have severely limited capacity (perhaps as low as 1),
and the general set of capacity vs distance from root is changed to
not go as deep.

The first part means that the spammer can't chain identities *at all*
before getting the top one manually trusted.  The second means that
identities that only solved a CAPTCHA will only be seen by a small
number of people -- ie they can't spam everyone.  The exact numbers
for flow vs depth would need some tuning for both trust levels,
obviously.  You want enough people to see new identities that they
will receive manual trust.

 - Limits on identity churn in any trust list (1 new identity per day averaged
 over a week or something), to ensure that an attacker who has trust cannot
 constantly add new identities.

This is clearly required (to prevent a spammer multiplying a limited
trust to introduce many throw-away identities, each of which spams up
to the message count limits).  However, it does present a new problem:
because trust capacities are limited, it provides a far more effective
DOS of the CAPTCHA queue than simply answering all CAPTCHAs.  I'm not
sure how to handle that.  A DOS that prevents new users from joining
is particularly vicious.


 It probably also requires:
 - Some indication of which trusted identities trust a spammer when you mark an
 identity as a spammer.
 - Sending an ultimatum to the trusted identity that trusts more than one
 spammer: 

Re: [freenet-dev] Why WoTs won't work....

[Thomas Sachau]

Matthew Toseland schrieb:
 On Friday 22 May 2009 08:17:55 bbac...@googlemail.com wrote:
 Is'nt his point that the users just won't maintain the trust lists?
 I thought that is the problem that he meant how can Advogato help us 
 here?
 
 Advogato with only positive trust introduces a different tradeoff, which is 
 still a major PITA to maintain, but maybe less of one:
 - Spammers only disappear when YOU mark them as spammers, or ALL the people 
 you trust do. Right now they disappear when the majority, from the point of 
 view of your position on the WoT, mark them as spammers (more or less).

So this is a disadvantage of avogato against current FMS implementation. With 
the current FMS
implementation, only a majority of trusted identities need to mark him down, 
with avogato, either
all original trusters need to mark him down or you need to do it yourself 
(either mark him down or
everyone, who trusts him, so
FMS 1:0 avogato

 - If you mark a spammer as positive because he posts useful content on one 
 board, and you don't read the boards he spams you are likely to get marked as 
 a spammer yourself.

If this is true for avogato, it is again a disadvantage. You should not be 
responsible for something
you dont see and did. In FMS, this would result in a reduced Trustlist Trust, 
which just means that
you are not trusted to introduce new identities, no spammer mark or similar, so
FMS 2:0 avogato

 - If a spammer doesn't spam himself, but gains trust through posting useful 
 content on various boards and then spends this trust by trusting spam 
 identities, it will be necessary to give him zero message list trust. Again 
 this has serious issues with collateral damage, depending on how 
 trigger-happy people are and how much of a problem it is for newbies to see 
 spam.

Again, disadvantage for avogato, if that is true, but basicly the same as 
above: This is solved via
reduced Trustlist Trust, not reducing message trust in FMS.

 Technologically, this requires:
 - Making sure that my local ratings always override those given by others, so 
 I can mark an identity as spam and never see it again. Dunno if this is 
 currently implemented.

This is possible with FMS (optional, either your vote is part of the final 
trust calculation or it
overrides the overall trust result).

 - Making CAPTCHA announcement provide some form of short-lived trust, so if 
 the newly introduced identity doesn't get some trust it goes away. This may 
 also be implemented.

This would require adding trust to new people, As you can see with FMS, having 
everyone spending
dayly time on trustlist adjustments is just an idea, which wont come true. So 
this would mean that
every identity that is not very active will loose any trust and would have to 
introduce himself
again. More pain and work resulting in less users.

 - Limits on identity churn in any trust list (1 new identity per day averaged 
 over a week or something), to ensure that an attacker who has trust cannot 
 constantly add new identities.

Only the number of identities added because of solved captchas should be 
limited and the limit
number is the number of announced captchas, which should be more than around 
1/day. For added
identities from others, you will always do some basic review, maybe with some 
advanced option to
remove all identities introduced by a specific identity.

 It probably also requires:
 - Some indication of which trusted identities trust a spammer when you mark 
 an 
 identity as a spammer.

In FMS, you can simply watch the list of trusts of the spammer identity to get 
this information.

 - Sending an ultimatum to the trusted identity that trusts more than one 
 spammer: stop trusting spammers or we'll stop trusting you. This would have 
 to be answered in a reasonable time, hence is a problem for those not 
 constantly at their nodes.

You may note him about if, if you want (either public, or if implemented via 
private message), but
basicly, why this warning? Does it help him in any way, if we trust him or does 
it harm him, if we
dont any more trust him? At least in FMS it does not change his visibility, but 
may change the
trustlist trust that others get for him and so may or may not include his 
trusts.



signature.asc
Description: OpenPGP digital signature
___
Devl mailing list
Devl@freenetproject.org
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Fri, May 22, 2009 at 10:48 AM, Thomas Sachau m...@tommyserver.de wrote:
 Matthew Toseland schrieb:
 On Friday 22 May 2009 08:17:55 bbac...@googlemail.com wrote:
 Is'nt his point that the users just won't maintain the trust lists?
 I thought that is the problem that he meant how can Advogato help us
 here?

 Advogato with only positive trust introduces a different tradeoff, which is
 still a major PITA to maintain, but maybe less of one:
 - Spammers only disappear when YOU mark them as spammers, or ALL the people
 you trust do. Right now they disappear when the majority, from the point of
 view of your position on the WoT, mark them as spammers (more or less).

 So this is a disadvantage of avogato against current FMS implementation. With 
 the current FMS
 implementation, only a majority of trusted identities need to mark him down, 
 with avogato, either
 all original trusters need to mark him down or you need to do it yourself 
 (either mark him down or
 everyone, who trusts him, so
 FMS 1:0 avogato

As I've said repeatedly, I believe there is a fundamental tradeoff
between spam resistance and censorship resistance, in the limiting
case.  (It's obviously possible to have an algorithm that does poorly
at both.)  Advogato *might* let more spam through than FMS.  There is
no proof provided for how much spam FMS lets through; with Advogato it
is limited in a provable manner.  Alchemy is a bad thing.  FMS
definitely makes censorship by the mob easier.  By my count, that's a
win for Advogato on both.


 - If you mark a spammer as positive because he posts useful content on one
 board, and you don't read the boards he spams you are likely to get marked as
 a spammer yourself.

 If this is true for avogato, it is again a disadvantage. You should not be 
 responsible for something
 you dont see and did. In FMS, this would result in a reduced Trustlist Trust, 
 which just means that
 you are not trusted to introduce new identities, no spammer mark or similar, 
 so
 FMS 2:0 avogato

The Advogato algorithm extends (while maintaining the proof validity)
to separate message and trust list trusts just fine.  I'm inclined to
think making the distinction is a good idea, for exactly this case.
Once the distinction is present, the two should behave fairly
similarly.


 - If a spammer doesn't spam himself, but gains trust through posting useful
 content on various boards and then spends this trust by trusting spam
 identities, it will be necessary to give him zero message list trust. Again
 this has serious issues with collateral damage, depending on how
 trigger-happy people are and how much of a problem it is for newbies to see
 spam.

 Again, disadvantage for avogato, if that is true, but basicly the same as 
 above: This is solved via
 reduced Trustlist Trust, not reducing message trust in FMS.

 Technologically, this requires:
 - Making sure that my local ratings always override those given by others, so
 I can mark an identity as spam and never see it again. Dunno if this is
 currently implemented.

 This is possible with FMS (optional, either your vote is part of the final 
 trust calculation or it
 overrides the overall trust result).

Having that option sounds like a good idea, regardless of the
underlying algorithm.


 - Making CAPTCHA announcement provide some form of short-lived trust, so if
 the newly introduced identity doesn't get some trust it goes away. This may
 also be implemented.

 This would require adding trust to new people, As you can see with FMS, 
 having everyone spending
 dayly time on trustlist adjustments is just an idea, which wont come true. So 
 this would mean that
 every identity that is not very active will loose any trust and would have to 
 introduce himself
 again. More pain and work resulting in less users.

See my proposal (other mail in this thread, also discussed
previously).  Short-range but long-lived trust is a better substitute,
imho.


 - Limits on identity churn in any trust list (1 new identity per day averaged
 over a week or something), to ensure that an attacker who has trust cannot
 constantly add new identities.

 Only the number of identities added because of solved captchas should be 
 limited and the limit
 number is the number of announced captchas, which should be more than around 
 1/day. For added
 identities from others, you will always do some basic review, maybe with some 
 advanced option to
 remove all identities introduced by a specific identity.

No, that is not sufficient.  The attack that makes it necessary (which
is also possible on FMS, btw -- in fact it's even more effective) is
fairly simple.  A spammer gets a dummy identity trusted manually by
other people.  He then has it mark several other identities as
trustworthy.  Those identities then spam as much as is worthwhile
(limited only by message count limits, basically).  The spammer then
removes them from the dummy identity published trust list, adds new
spamming identities, and repeats.  

Re: [freenet-dev] Why WoTs won't work....

[Thomas Sachau]

Evan Daniel schrieb:
 On Fri, May 22, 2009 at 10:48 AM, Thomas Sachau m...@tommyserver.de wrote:
 Matthew Toseland schrieb:
 On Friday 22 May 2009 08:17:55 bbac...@googlemail.com wrote:
 Is'nt his point that the users just won't maintain the trust lists?
 I thought that is the problem that he meant how can Advogato help us
 here?
 Advogato with only positive trust introduces a different tradeoff, which is
 still a major PITA to maintain, but maybe less of one:
 - Spammers only disappear when YOU mark them as spammers, or ALL the people
 you trust do. Right now they disappear when the majority, from the point of
 view of your position on the WoT, mark them as spammers (more or less).
 So this is a disadvantage of avogato against current FMS implementation. 
 With the current FMS
 implementation, only a majority of trusted identities need to mark him down, 
 with avogato, either
 all original trusters need to mark him down or you need to do it yourself 
 (either mark him down or
 everyone, who trusts him, so
 FMS 1:0 avogato
 
 As I've said repeatedly, I believe there is a fundamental tradeoff
 between spam resistance and censorship resistance, in the limiting
 case.  (It's obviously possible to have an algorithm that does poorly
 at both.)  Advogato *might* let more spam through than FMS.  There is
 no proof provided for how much spam FMS lets through; with Advogato it
 is limited in a provable manner.  Alchemy is a bad thing.  FMS
 definitely makes censorship by the mob easier.  By my count, that's a
 win for Advogato on both.

I dont think you can divide between spam resistance and censorship 
resistance for a simple
reason: Who defines what sort of action or text is spam? Many people may mostly 
aggree about some
sort of action or content to be spam, but others could claim the reduced 
visibility censorship.
And i dont see any alchemy with the current trust system of FMS, if something 
is alchemy and not
clear, please point it out, but the exact point please.
And FMS does not make censorship by a mob easier. Simply because you should 
select the people you
trust yourself. Like you should select your friends and darknet peers yourself. 
If you let others do
it for you, dont argue about what follows (like a censored view on FMS).

 - Making CAPTCHA announcement provide some form of short-lived trust, so if
 the newly introduced identity doesn't get some trust it goes away. This may
 also be implemented.
 This would require adding trust to new people, As you can see with FMS, 
 having everyone spending
 dayly time on trustlist adjustments is just an idea, which wont come true. 
 So this would mean that
 every identity that is not very active will loose any trust and would have 
 to introduce himself
 again. More pain and work resulting in less users.
 
 See my proposal (other mail in this thread, also discussed
 previously).  Short-range but long-lived trust is a better substitute,
 imho.

I would call it censorship because those that see you because of captcha 
announcement can themselves
say what happens,
-if they dont give you trust, most wont see you = you are lost, are censored
-if the give you trust, everyone will see you = not censored

This would give a small group of people the chance to censor newly announced 
identities (also the
group may be different for every identity).

 
 - Limits on identity churn in any trust list (1 new identity per day 
 averaged
 over a week or something), to ensure that an attacker who has trust cannot
 constantly add new identities.
 Only the number of identities added because of solved captchas should be 
 limited and the limit
 number is the number of announced captchas, which should be more than around 
 1/day. For added
 identities from others, you will always do some basic review, maybe with 
 some advanced option to
 remove all identities introduced by a specific identity.
 
 No, that is not sufficient.  The attack that makes it necessary (which
 is also possible on FMS, btw -- in fact it's even more effective) is
 fairly simple.  A spammer gets a dummy identity trusted manually by
 other people.  He then has it mark several other identities as
 trustworthy.  Those identities then spam as much as is worthwhile
 (limited only by message count limits, basically).  The spammer then
 removes them from the dummy identity published trust list, adds new
 spamming identities, and repeats.  The result is that his one main
 identity can get a large quantity of spam through, even though it can
 only mark a limited number of child identities trusted and each of
 them can only send a limited amount of spam.
 
 Also, what do you mean by review of identities added from others?
 Surely you don't mean that I should have to manually review every
 poster?  Isn't the whole point of using a wot in the first place that
 I can get good trust estimates of people I've never seen before?

In FMS, there is currently a simple page, where the latest added identities are 
listed and how 

Re: [freenet-dev] Why WoTs won't work....

[Luke771]

 FMS is as good as dead, and that's why I think that invesiting develpers' 
 time and effort into WoT and Freetalk is a huge waste: FMS failed because of 
 human stupidity and arrogance, and so will Freetalk/WoT, and I really cant 
 understand why the devs cant see the obvious (or refuse to admit it)
   
 BTW, I dont hate Falafel. Hate costs energy. A lot of it.
 
  
 The devs don't care because there are no practical alternatives, and because 
 I 
 at least don't use FMS, since nobody I trust has reviewed it, and it can't be 
 bundled so I won't. However, evanbd's work on positive trust is worth 
 considering, see my other email.
   

I know that. We talked about it on IRC and I agreed that even with all 
its flaws, WoT is actually the only feasible solution ATM.
I posted that message to Frost _before_ we talked about it on IRC, and I 
wouldnt have forwarded it here because the topic has been discussed more 
than enough.


A new combo client capable of running the classic Frost side by side 
with Freetalk could be a nice workaround, even tho not really a 
solution: a board on the old non-wot Frost could be used by an identity 
to ask for some _message_ trust if it's been made virtually invisible by 
the Little Brothers'  before anyone could give it any trust.

And yes, it can be spammed. make a new one then. The point is that an ID 
that has been unjustly blocked can ask for a second chance, and having 
to ask means that those who agree to give that ID some trust will watch 
him and will be ready to revoke that trust if he starts spamming, so 
asking for some trust and then abusing it is not gonna work.


___
Devl mailing list
Devl@freenetproject.org
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Fri, May 22, 2009 at 12:39 PM, Thomas Sachau m...@tommyserver.de wrote:
 Evan Daniel schrieb:
 On Fri, May 22, 2009 at 10:48 AM, Thomas Sachau m...@tommyserver.de wrote:
 Matthew Toseland schrieb:
 On Friday 22 May 2009 08:17:55 bbac...@googlemail.com wrote:
 Is'nt his point that the users just won't maintain the trust lists?
 I thought that is the problem that he meant how can Advogato help us
 here?
 Advogato with only positive trust introduces a different tradeoff, which is
 still a major PITA to maintain, but maybe less of one:
 - Spammers only disappear when YOU mark them as spammers, or ALL the people
 you trust do. Right now they disappear when the majority, from the point of
 view of your position on the WoT, mark them as spammers (more or less).
 So this is a disadvantage of avogato against current FMS implementation. 
 With the current FMS
 implementation, only a majority of trusted identities need to mark him 
 down, with avogato, either
 all original trusters need to mark him down or you need to do it yourself 
 (either mark him down or
 everyone, who trusts him, so
 FMS 1:0 avogato

 As I've said repeatedly, I believe there is a fundamental tradeoff
 between spam resistance and censorship resistance, in the limiting
 case.  (It's obviously possible to have an algorithm that does poorly
 at both.)  Advogato *might* let more spam through than FMS.  There is
 no proof provided for how much spam FMS lets through; with Advogato it
 is limited in a provable manner.  Alchemy is a bad thing.  FMS
 definitely makes censorship by the mob easier.  By my count, that's a
 win for Advogato on both.

 I dont think you can divide between spam resistance and censorship 
 resistance for a simple
 reason: Who defines what sort of action or text is spam? Many people may 
 mostly aggree about some
 sort of action or content to be spam, but others could claim the reduced 
 visibility censorship.
 And i dont see any alchemy with the current trust system of FMS, if something 
 is alchemy and not
 clear, please point it out, but the exact point please.
 And FMS does not make censorship by a mob easier. Simply because you should 
 select the people you
 trust yourself. Like you should select your friends and darknet peers 
 yourself. If you let others do
 it for you, dont argue about what follows (like a censored view on FMS).

Yes, the spam and censorship problems are closely related.  That's why
I say there is something of a tradeoff between them.  The problem with
FMS should be obvious: if some small group actively tries to censor
things I consider non-spam, then it requires a significant amount of
effort by me to stop that.  I have to look at trust lists that mostly
contain valid markings, and belong to real people posting real
messages, and somehow determine that some of the entries on them are
invalid, and then decide not to trust their trust list.  Furthermore,
I have to do this without actually examining each entry on their trust
list -- I'm trying to look at *less* spam here, not more.  The result
is a balkanization of trust lists based on differing policies.  Any
mistakes I make will go unnoticed, since I won't see the erroneously
rejected messages.

In FMS, a group with permissive policies (spam filtering only) and a
group that filtered content they found objectionable can't make
effective use of each other's trust lists.  However, the former group
would like to trust the not-spammer ratings made by the latter group,
and the latter group would like to trust the spammer ratings made by
the former.  AIUI, the balkanization of FMS trust lists largely
prevents this.  Advogato would allow the permissive group to make use
of the less permissive group's ratings, without allowing them to act
as censors.

IMHO, the Advogato case is better for two reasons: first, favoring
those who only want to stop spam over those who want to filter
objectionable content is more consistent with the philosophy behind
Freenet.  Second, spam filters of any sort should be biased towards
type II errors, since they're less problematic and easier to correct.

Essentially, I think that FMS goes overboard in its attempts to reduce
spam.  It is my firm belief that limiting the amount of spam that can
be sent to a modest linear function of the amount of *manual* effort a
spammer exerts is sufficient.  Spam is a problem in both Frost and
email because spammers can simply run bots.  The cost of FMS, both in
worry over mob censorship and work required to maintain trust lists,
is very high.  I think that the total effort spent by the community
would be reduced by the use of an algorithm that took more effort to
stop spammers, and less effort to enable normal communications.  We
need to be aware of what we optimize for, and make sure it's really
what we want.

I've explained why FMS is alchemy before, but it's an important point,
so I don't mind repeating it.  FMS has some goals, and it performs an
algorithm.  There is no proof that the 

Re: [freenet-dev] Why WoTs won't work....

[Matthew Toseland]

On Friday 22 May 2009 15:39:06 Evan Daniel wrote:
 On Fri, May 22, 2009 at 8:17 AM, Matthew Toseland
 t...@amphibian.dyndns.org wrote:
  On Friday 22 May 2009 08:17:55 bbac...@googlemail.com wrote:
  Is'nt his point that the users just won't maintain the trust lists?
  I thought that is the problem that he meant how can Advogato help us
  here?
 
  Advogato with only positive trust introduces a different tradeoff, which is
  still a major PITA to maintain, but maybe less of one:
  - Spammers only disappear when YOU mark them as spammers, or ALL the people
  you trust do. Right now they disappear when the majority, from the point of
  view of your position on the WoT, mark them as spammers (more or less).
 
 When they *fail to mark them as trusted*.  It's an important
 distinction, as it means that in order for the spammer to do anything
 they first have to *manually* build trust.  If an identity suddenly
 starts spamming, only people that originally marked it as trusted have
 to change their trust lists in order to stop them.
 
  - If you mark a spammer as positive because he posts useful content on one
  board, and you don't read the boards he spams you are likely to get marked 
  as
  a spammer yourself.
 
 Depends how militant people are.  I suspect in practice people won't
 do this unless you trust a lot of spammers... in which case they have
 a point.  (This is also a case for distinguishing message trust from
 trust list trust; while Advogato doesn't do this, the security proof
 extends to cover it without trouble.)  You can take an in-between
 step: if Alice marks both Bob and Carol as trusted, and Bob marks
 Carol a spammer, Alice's software notices and alerts Alice, and offers
 to show Alice recent messages from Carol from other boards.
 (Algorithmically, publishing Sam is a spammer is no different from
 not publishing anything about Sam, but it makes some nice things
 possible from a UI standpoint.)  This may well get most of the benefit
 of ultimatums with lower complexity.

Right, this is something I keep forgetting to mention. When marking a user as a 
spammer, the UI should ask the user about people who trust that spammer and 
other spammers. However, it does encourage militancy, doesn't it? It certainly 
doesn't solve the problem the way that ultimatums do...
 
  - If a spammer doesn't spam himself, but gains trust through posting useful
  content on various boards and then spends this trust by trusting spam
  identities, it will be necessary to give him zero message list trust. Again
  this has serious issues with collateral damage, depending on how
  trigger-happy people are and how much of a problem it is for newbies to see
  spam.
 
  Technologically, this requires:
  - Changing WoT to only support positive trust. This is more or less a one 
  line
  change.
 
 If all you want is positive trust only, yes.  If you want the security
 proof, it requires using the network flow algorithm as specified in
 the paper, which is a bit more complex.  IMHO, fussing with the
 algorithm in ways that don't let you apply the security proof is just
 trading one set of alchemy for another -- it might help, but I don't
 think it would be wise.

I was under the impression that WoT already used Advogato, apart from 
supporting negative trust values and therefore negative trust.
 
  - Making sure that my local ratings always override those given by others, 
  so
  I can mark an identity as spam and never see it again. Dunno if this is
  currently implemented.
  - Making CAPTCHA announcement provide some form of short-lived trust, so if
  the newly introduced identity doesn't get some trust it goes away. This may
  also be implemented.
 
 My proposal: there are two levels of trust (implementation starts
 exactly as per Advogato levels).  The lower level is CAPTCHA trust;
 the higher is manually set only.  (This extends to multiple manual
 levels without loss of generality.)  First, the algorithm is run
 normally on the manual trust level.  Then, the algorithm is re-run on
 the CAPTCHA trust level, with modification: identities that received
 no manual trust have severely limited capacity (perhaps as low as 1),
 and the general set of capacity vs distance from root is changed to
 not go as deep.

Not bad. Currently CAPTCHA identities are seen by everyone iirc, this may be a 
desirable (if not scalable) property.
 
 The first part means that the spammer can't chain identities *at all*
 before getting the top one manually trusted.  The second means that
 identities that only solved a CAPTCHA will only be seen by a small
 number of people -- ie they can't spam everyone.  The exact numbers
 for flow vs depth would need some tuning for both trust levels,
 obviously.  You want enough people to see new identities that they
 will receive manual trust.

Yeah... so far p0s has resisted any suggestion that any identity won't be seen 
by everyone... Also the anti-censorship lobby probably object to any new 
identity 

Re: [freenet-dev] Why WoTs won't work....

[Matthew Toseland]

On Friday 22 May 2009 18:59:47 Evan Daniel wrote:
 On Fri, May 22, 2009 at 12:39 PM, Thomas Sachau m...@tommyserver.de wrote:
  Evan Daniel schrieb:
  On Fri, May 22, 2009 at 10:48 AM, Thomas Sachau m...@tommyserver.de 
  wrote:
  Matthew Toseland schrieb:
  On Friday 22 May 2009 08:17:55 bbac...@googlemail.com wrote:
  Is'nt his point that the users just won't maintain the trust lists?
  I thought that is the problem that he meant how can Advogato help us
  here?
  Advogato with only positive trust introduces a different tradeoff, which 
  is
  still a major PITA to maintain, but maybe less of one:
  - Spammers only disappear when YOU mark them as spammers, or ALL the 
  people
  you trust do. Right now they disappear when the majority, from the point 
  of
  view of your position on the WoT, mark them as spammers (more or less).
  So this is a disadvantage of avogato against current FMS implementation. 
  With the current FMS
  implementation, only a majority of trusted identities need to mark him 
  down, with avogato, either
  all original trusters need to mark him down or you need to do it yourself 
  (either mark him down or
  everyone, who trusts him, so
  FMS 1:0 avogato
 
  As I've said repeatedly, I believe there is a fundamental tradeoff
  between spam resistance and censorship resistance, in the limiting
  case.  (It's obviously possible to have an algorithm that does poorly
  at both.)  Advogato *might* let more spam through than FMS.  There is
  no proof provided for how much spam FMS lets through; with Advogato it
  is limited in a provable manner.  Alchemy is a bad thing.  FMS
  definitely makes censorship by the mob easier.  By my count, that's a
  win for Advogato on both.
 
  I dont think you can divide between spam resistance and censorship 
  resistance for a simple
  reason: Who defines what sort of action or text is spam? Many people may 
  mostly aggree about some
  sort of action or content to be spam, but others could claim the reduced 
  visibility censorship.
  And i dont see any alchemy with the current trust system of FMS, if 
  something is alchemy and not
  clear, please point it out, but the exact point please.
  And FMS does not make censorship by a mob easier. Simply because you 
  should select the people you
  trust yourself. Like you should select your friends and darknet peers 
  yourself. If you let others do
  it for you, dont argue about what follows (like a censored view on FMS).
 
 Yes, the spam and censorship problems are closely related.  That's why
 I say there is something of a tradeoff between them.  The problem with
 FMS should be obvious: if some small group actively tries to censor
 things I consider non-spam, then it requires a significant amount of
 effort by me to stop that.  I have to look at trust lists that mostly
 contain valid markings, and belong to real people posting real
 messages, and somehow determine that some of the entries on them are
 invalid, and then decide not to trust their trust list.  Furthermore,
 I have to do this without actually examining each entry on their trust
 list -- I'm trying to look at *less* spam here, not more.  The result
 is a balkanization of trust lists based on differing policies.  Any
 mistakes I make will go unnoticed, since I won't see the erroneously
 rejected messages.
 
 In FMS, a group with permissive policies (spam filtering only) and a
 group that filtered content they found objectionable can't make
 effective use of each other's trust lists.  However, the former group
 would like to trust the not-spammer ratings made by the latter group,
 and the latter group would like to trust the spammer ratings made by
 the former.  AIUI, the balkanization of FMS trust lists largely
 prevents this.  Advogato would allow the permissive group to make use
 of the less permissive group's ratings, without allowing them to act
 as censors.
 
 IMHO, the Advogato case is better for two reasons: first, favoring
 those who only want to stop spam over those who want to filter
 objectionable content is more consistent with the philosophy behind
 Freenet.  Second, spam filters of any sort should be biased towards
 type II errors, since they're less problematic and easier to correct.
 
 Essentially, I think that FMS goes overboard in its attempts to reduce
 spam.  It is my firm belief that limiting the amount of spam that can
 be sent to a modest linear function of the amount of *manual* effort a
 spammer exerts is sufficient.  Spam is a problem in both Frost and
 email because spammers can simply run bots.  The cost of FMS, both in
 worry over mob censorship and work required to maintain trust lists,
 is very high.  I think that the total effort spent by the community
 would be reduced by the use of an algorithm that took more effort to
 stop spammers, and less effort to enable normal communications.  We
 need to be aware of what we optimize for, and make sure it's really
 what we want.
 
 I've explained why FMS is alchemy 

Re: [freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Fri, May 22, 2009 at 4:16 PM, Matthew Toseland
t...@amphibian.dyndns.org wrote:
 On Friday 22 May 2009 15:39:06 Evan Daniel wrote:
 On Fri, May 22, 2009 at 8:17 AM, Matthew Toseland
 t...@amphibian.dyndns.org wrote:
  On Friday 22 May 2009 08:17:55 bbac...@googlemail.com wrote:
  Is'nt his point that the users just won't maintain the trust lists?
  I thought that is the problem that he meant how can Advogato help us
  here?
 
  Advogato with only positive trust introduces a different tradeoff, which is
  still a major PITA to maintain, but maybe less of one:
  - Spammers only disappear when YOU mark them as spammers, or ALL the people
  you trust do. Right now they disappear when the majority, from the point of
  view of your position on the WoT, mark them as spammers (more or less).

 When they *fail to mark them as trusted*.  It's an important
 distinction, as it means that in order for the spammer to do anything
 they first have to *manually* build trust.  If an identity suddenly
 starts spamming, only people that originally marked it as trusted have
 to change their trust lists in order to stop them.

  - If you mark a spammer as positive because he posts useful content on one
  board, and you don't read the boards he spams you are likely to get marked 
  as
  a spammer yourself.

 Depends how militant people are.  I suspect in practice people won't
 do this unless you trust a lot of spammers... in which case they have
 a point.  (This is also a case for distinguishing message trust from
 trust list trust; while Advogato doesn't do this, the security proof
 extends to cover it without trouble.)  You can take an in-between
 step: if Alice marks both Bob and Carol as trusted, and Bob marks
 Carol a spammer, Alice's software notices and alerts Alice, and offers
 to show Alice recent messages from Carol from other boards.
 (Algorithmically, publishing Sam is a spammer is no different from
 not publishing anything about Sam, but it makes some nice things
 possible from a UI standpoint.)  This may well get most of the benefit
 of ultimatums with lower complexity.

 Right, this is something I keep forgetting to mention. When marking a user as 
 a spammer, the UI should ask the user about people who trust that spammer and 
 other spammers. However, it does encourage militancy, doesn't it? It 
 certainly doesn't solve the problem the way that ultimatums do...

I don't know how much militancy the software should encourage.  I'm
inclined to think it should start low, and then change it if that
doesn't work.


  - If a spammer doesn't spam himself, but gains trust through posting useful
  content on various boards and then spends this trust by trusting spam
  identities, it will be necessary to give him zero message list trust. Again
  this has serious issues with collateral damage, depending on how
  trigger-happy people are and how much of a problem it is for newbies to see
  spam.
 
  Technologically, this requires:
  - Changing WoT to only support positive trust. This is more or less a one 
  line
  change.

 If all you want is positive trust only, yes.  If you want the security
 proof, it requires using the network flow algorithm as specified in
 the paper, which is a bit more complex.  IMHO, fussing with the
 algorithm in ways that don't let you apply the security proof is just
 trading one set of alchemy for another -- it might help, but I don't
 think it would be wise.

 I was under the impression that WoT already used Advogato, apart from 
 supporting negative trust values and therefore negative trust.

The documentation mentions Advogato, and there are some diagrams that
relate to it, but none of the detailed description of the algorithm is
at all related.  Advogato is based on network flow computation.  WoT
as described on the freesite is not -- an identity with 40 trust
points is permitted to give up to 40 points *each* to any number of
child identities, with the actual number given determined by a trust
rating.

In contrast, Advogato has multiple levels of trust, and each identity
either trusts or does not trust each other identity at a given level.
The number of trust points an identity gets is based on capacity and
the optimal flow path.  It does not speak to how trustworthy that
identity is; at a given trust level, the algorithm either accepts or
does not accept a given identity.  Multiple trust levels (eg, a level
for captcha solving and a level for manual trust) implies running the
algorithm multiple times on different (though related) graphs; when
running at a given level, connections at that level and all higher
levels are used.

This implies running Ford-Fulkerson or similar; it's more complicated
than the current system, though not drastically so.
http://en.wikipedia.org/wiki/Ford-Fulkerson_algorithm


  - Making sure that my local ratings always override those given by others, 
  so
  I can mark an identity as spam and never see it again. Dunno if this is
  currently implemented.
  - 

Re: [freenet-dev] Why WoTs won't work....

[Victor Denisov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 In contrast, Advogato has multiple levels of trust, and each identity
 either trusts or does not trust each other identity at a given level.
...
 This implies running Ford-Fulkerson or similar; it's more complicated
 than the current system, though not drastically so.
 http://en.wikipedia.org/wiki/Ford-Fulkerson_algorithm

I don't know if it's common knowledge, but there's a relatively
well-written implementation of Advogato trust metric in Java, available
here: http://www.saddi.com/projects/index.html.
I hadn't reviewed it personally, but several of my students used it
successfully in their trust-related research.

Regards,
Victor Denisov.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKFxl6x7AVSvyjsUARAld2AJ0aFU+OB7M7r2EQ2Z+UGDuK9G8OAwCeORwe
Ye1A8m+eGgr6IOdnqWtRvFs=
=Jz8e
-END PGP SIGNATURE-
___
Devl mailing list
Devl@freenetproject.org
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Why WoTs won't work....

[Evan Daniel]

On Fri, May 22, 2009 at 5:03 PM, Matthew Toseland
t...@amphibian.dyndns.org wrote:
  - Making CAPTCHA announcement provide some form of short-lived trust, 
  so if
  the newly introduced identity doesn't get some trust it goes away. This 
  may
  also be implemented.
  This would require adding trust to new people, As you can see with FMS, 
  having everyone spending
  dayly time on trustlist adjustments is just an idea, which wont come 
  true. So this would mean that
  every identity that is not very active will loose any trust and would 
  have to introduce himself
  again. More pain and work resulting in less users.
 
  See my proposal (other mail in this thread, also discussed
  previously).  Short-range but long-lived trust is a better substitute,
  imho.
 
  I would call it censorship because those that see you because of captcha 
  announcement can themselves
  say what happens,
  -if they dont give you trust, most wont see you = you are lost, are 
  censored
  -if the give you trust, everyone will see you = not censored
 
  This would give a small group of people the chance to censor newly 
  announced identities (also the
  group may be different for every identity).

 Then use a more permissive capacity:distance function.  There is no
 requirement that you use a shorter range function, or that you use the
 same function as everyone else.  IMHO, the default should be somewhat
 shorter range, in an attempt to balance the number of people that see
 new identities.  As you observe, too few leads to censorship
 possibilities (out of malice or just plain laziness).  Too many means
 that an identity with CAPTCHA trust only can spam and have everyone
 see that spam, which provides the spammer a reasonably efficient way
 to send spam.

 So it's a tradeoff which can be easily configured by the user.

Yes.  As always, intelligent defaults are important; they should be
applicable to most newbies, but don't need to meet everyone's needs.
And if you change it unwisely, you hurt only yourself (other people
don't even notice).


 I agree with pretty much all of the above, but the medium-term worry is that 
 we will start to have to worry about those who trust spammers, and those who 
 trust those who trust spammers. By eliminating negative trust, Advogato 
 forces us to either tolerate a certain (and unclear) amount of spam, or spend 
 a lot of effort on hunting down those who trust spammers, resulting in 
 massive collateral damage.
 
  Also, what do you mean by review of identities added from others?
  Surely you don't mean that I should have to manually review every
  poster?  Isn't the whole point of using a wot in the first place that
  I can get good trust estimates of people I've never seen before?
 
  In FMS, there is currently a simple page, where the latest added 
  identities are listed and how they
  where listed. So if you get many spamming identities and they are all 
  added from 1 trusted peer,
  just remove his trustlist trust and all those new spamming identities wont 
  reach you.

 We want to make it easy, or nobody will do it. Poring over your trust list 
 day after day is not most people's idea of fun.

 There are three approaches, given positive trust only. Depending on the level 
 of effort exerted by the spammer, we move from one tradeoff between spam 
 resistance and censorship resistance to the next. IMHO the last stage 
 involves significant risk of censorship or at least collateral damage, while 
 obviously having the strongest spam resistance.

 The first approach is to mark spammers as spammers, and limit the capacity of 
 trusted identities to create new spammers by for example limits on the number 
 of identities that can change in a trust list in one day. This means that 
 everyone will have to mark all the spam identities as spam, much as in Frost 
 with the Alice bot. It will deter newbies, but it should be usable for the 
 determined. Note that it is *essential* on a positive trust only network that 
 our spam markings override others' positive trust levels.

 The second approach is when we mark an identity as spam, WoT realises that an 
 identity trusting that spammer also trusts a lot of other spammers, and 
 proposes that we mark the parent identity as a spammer, at least for purposes 
 of trust list trust. Hopefully this will be enough. The cost for every user 
 will be to mark a few spammer posts as spam, and then accept WoT's 
 recommendation to mark the parent as spammer. A few will be an arbitrary 
 parameter that will have to be argued about, higher means less chance of 
 marking non-spammers as spammers, but at the cost of seeing more spam.

 The third approach is that when we mark the parent identity as spam, WoT 
 suggests marking those who trust the parent identity also as spammers for 
 purposes of trust list trust (if we trust them; if we don't, it's not our 
 problem; we are trying to optimise the network *for other people*, 
 particularly for newbies, 

[freenet-dev] Why WoTs won't work....

[gulli]

Interesting discussion from Frost, especially the last post at the bottom. Its 
about WoTs in general and why they won't work.



- hahaha...@yle3zhs5lkiwe3fdjyqlcf5+rka - 2009.04.05 - 02:28:11GMT -

I had to forward this one here.

--- jezreel℺X~GLTTHo9aaYtIpGT6OOyBMMFwl3b8LwFu6TUw9Q82E sent via FMS on 
2009-04-05 at 01:31:54GMT ---

Probably not an amazing subject, but FMS is so dead lately so what the 
hell.  Falafel, why do some of the folks posting to Frost hate you so 
much?  In particular Luke771 and VolodyA.  You generally seem like a 
nice identity so I'm just curious.
-- 
jezr...@pbxwgrdegrigwuteoz3tc6cfla2xu3trmi2tgr2enfrvi4bxkzlectshfvyw2wcxkrffslccijku4z2om5gtoojrpzdfcolkovtdawjuifigkrcqjbevsvrnla2xotcdpfvw6lkmkzzsyqkrifbucqkf.freemail

;))

- VolodyA! V a...@r0pa7z7ja1haf2xttt7aklre+yw - 2009.04.11 - 
12:11:26GMT -

I should point out i do not hate falafel, i do not know him. I do hate what he 
is doing to Freenet, however. If he was to stop supporting intruduction of 
censorship on Freenet i would not say anything bad about him.

In fact i tend to agree with much of what he has to say on other subjects.

-- 
May all the sentient beings benefit from our conversation.

- denmin...@dlkkaikia79j4ovpbgfk4znh25y - 2009.04.14 - 16:13:07GMT -

Falafel is doing nothing. If a single guy can make the protocol not work, then 
the protocol is shitty from the start and we need to write a new one.

- Anonymous - 2009.04.14 - 20:46:59GMT -

The only shit around here is spewing from the mouths of those who don't 
understand how it works.  No one can stop you from seeing what you want to see. 
 Anyone who tells you otherwise is spreading misinformation.

- luke...@ch4jcmdc27eeqm9cw_wvju+coim - 2009.05.04 - 01:01:46GMT -


No one can really censor FMS alright, BUT there IS a problem with those 
'censored trust lists' anyway.
The existance of censored trust lists forces users to actively maintain their 
own trust lists, the WoT wont work 'on its own' as it would if everyone used it 
the way it's supposed to.

Let me try to explain: if everyone used wot to block flood attacks and nothing 
else, new users wouldnt need to try and find out which trust lists are 'good', 
they wouldnt need to work on thir trust lists for hours every day, try to spot 
censors or guys who wont block pedos, they could simply use FMS and 
occasianlly set a high trust for someone they actually trust, or lower the 
trust for someone they caught spamming

But the current situation makes FMS a pain in the ass. Users have to work on 
your trust lists regularly, and new users risk (and probably do) to have some 
of the content blocked by some censor because the guy posted one message on a 
board that the censor found 'immoral'.

It may take time until the new user figures out which trust lists to use, and 
there's a very real risk that he would think that it isnt worth the hassle and 
give up on FMS completely.
I did that, others did that, and more will.

THAT is the real problem with the Little Brothers, not their non-existent 
ability to censor content. they cant censor anything and they know it. But they 
can and do make FMS a pain in the ass to use.

Another problem is that, assuming that the fms community will survive (which i 
dontthink it will), it my end up split into a number of closed sub-communities 
that refuse to talk to each other. But this is only a guess, so far. We'll have 
to see how it turns out.

In the meantime, making FMS into a PITa has been done already, that is why FMS 
is as good as dead, and that's why I think that invesiting develpers' time and 
effort into WoT and Freetalk is a huge waste: FMS failed because of human 
stupidity and arrogance, and so will Freetalk/WoT, and I really cant understand 
why the devs cant see the obvious (or refuse to admit it)

BTW, I dont hate Falafel. Hate costs energy. A lot of it.
-- 
FAFS - the Freenet Applications FreeSite
u...@ugb~uuscsidmi-ze8laze~o3buib3s50i25riwdh99m,9T20t3xoG-dQfMO94LGOl9AxRTkaz~TykFY-voqaTQI,AQACAAE/FAFS/47/

-Don't think out of the box: destroy it!-
___
Devl mailing list
Devl@freenetproject.org
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Why WoTs won't work....

[Daniel Cheng]

On Sun, May 10, 2009 at 12:57 AM,  gu...@gmx.org wrote:
 Interesting discussion from Frost, especially the last post at the bottom. 
 Its about WoTs in general and why they won't work.


There are no (new) interesting bits.
The pain is well known among developers, repeating/explaining won't change it.

If you want to have an alternative, do it with a *FULL PROPOSAL*
(with the all advantage / disadvantage listed; impact on the network;
etc...), not just
Hey! Why not do this  ...  This is wasting everybody's energy.

snip
___
Devl mailing list
Devl@freenetproject.org
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Why WoTs won't work....

[Evan Daniel]

It's not all that interesting.  It has been discussed to death many
times.  The Advogato algorithm (or something like it) solves this
problem (not perfectly, but far, far better than the current FMS / WoT
alchemy), as I have explained in great detail.

Evan Daniel

On Sat, May 9, 2009 at 12:57 PM,  gu...@gmx.org wrote:
 Interesting discussion from Frost, especially the last post at the bottom. 
 Its about WoTs in general and why they won't work.



 - hahaha...@yle3zhs5lkiwe3fdjyqlcf5+rka - 2009.04.05 - 02:28:11GMT 
 -

 I had to forward this one here.

 --- jezreel℺X~GLTTHo9aaYtIpGT6OOyBMMFwl3b8LwFu6TUw9Q82E sent via FMS on 
 2009-04-05 at 01:31:54GMT ---

 Probably not an amazing subject, but FMS is so dead lately so what the
 hell.  Falafel, why do some of the folks posting to Frost hate you so
 much?  In particular Luke771 and VolodyA.  You generally seem like a
 nice identity so I'm just curious.
 --
 jezr...@pbxwgrdegrigwuteoz3tc6cfla2xu3trmi2tgr2enfrvi4bxkzlectshfvyw2wcxkrffslccijku4z2om5gtoojrpzdfcolkovtdawjuifigkrcqjbevsvrnla2xotcdpfvw6lkmkzzsyqkrifbucqkf.freemail

 ;))

 - VolodyA! V a...@r0pa7z7ja1haf2xttt7aklre+yw - 2009.04.11 - 
 12:11:26GMT -

 I should point out i do not hate falafel, i do not know him. I do hate what 
 he is doing to Freenet, however. If he was to stop supporting intruduction of 
 censorship on Freenet i would not say anything bad about him.

 In fact i tend to agree with much of what he has to say on other subjects.

 --
 May all the sentient beings benefit from our conversation.

 - denmin...@dlkkaikia79j4ovpbgfk4znh25y - 2009.04.14 - 16:13:07GMT 
 -

 Falafel is doing nothing. If a single guy can make the protocol not work, 
 then the protocol is shitty from the start and we need to write a new one.

 - Anonymous - 2009.04.14 - 20:46:59GMT -

 The only shit around here is spewing from the mouths of those who don't 
 understand how it works.  No one can stop you from seeing what you want to 
 see.  Anyone who tells you otherwise is spreading misinformation.

 - luke...@ch4jcmdc27eeqm9cw_wvju+coim - 2009.05.04 - 01:01:46GMT -


 No one can really censor FMS alright, BUT there IS a problem with those 
 'censored trust lists' anyway.
 The existance of censored trust lists forces users to actively maintain their 
 own trust lists, the WoT wont work 'on its own' as it would if everyone used 
 it the way it's supposed to.

 Let me try to explain: if everyone used wot to block flood attacks and 
 nothing else, new users wouldnt need to try and find out which trust lists 
 are 'good', they wouldnt need to work on thir trust lists for hours every 
 day, try to spot censors or guys who wont block pedos, they could simply 
 use FMS and occasianlly set a high trust for someone they actually trust, or 
 lower the trust for someone they caught spamming

 But the current situation makes FMS a pain in the ass. Users have to work on 
 your trust lists regularly, and new users risk (and probably do) to have some 
 of the content blocked by some censor because the guy posted one message on a 
 board that the censor found 'immoral'.

 It may take time until the new user figures out which trust lists to use, and 
 there's a very real risk that he would think that it isnt worth the hassle 
 and give up on FMS completely.
 I did that, others did that, and more will.

 THAT is the real problem with the Little Brothers, not their non-existent 
 ability to censor content. they cant censor anything and they know it. But 
 they can and do make FMS a pain in the ass to use.

 Another problem is that, assuming that the fms community will survive (which 
 i dontthink it will), it my end up split into a number of closed 
 sub-communities that refuse to talk to each other. But this is only a guess, 
 so far. We'll have to see how it turns out.

 In the meantime, making FMS into a PITa has been done already, that is why 
 FMS is as good as dead, and that's why I think that invesiting develpers' 
 time and effort into WoT and Freetalk is a huge waste: FMS failed because of 
 human stupidity and arrogance, and so will Freetalk/WoT, and I really cant 
 understand why the devs cant see the obvious (or refuse to admit it)

 BTW, I dont hate Falafel. Hate costs energy. A lot of it.
 --
 FAFS - the Freenet Applications FreeSite
 u...@ugb~uuscsidmi-ze8laze~o3buib3s50i25riwdh99m,9T20t3xoG-dQfMO94LGOl9AxRTkaz~TykFY-voqaTQI,AQACAAE/FAFS/47/

 -Don't think out of the box: destroy it!-
 ___
 Devl mailing list
 Devl@freenetproject.org
 http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
___
Devl mailing list
Devl@freenetproject.org
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl

[freenet-dev] Why WoTs won't work....

[gu...@gmx.org]

Interesting discussion from Frost, especially the last post at the bottom. Its 
about WoTs in general and why they won't work.



- Hahahahah at YLE3ZHs5LkiwE3FdJyQlcF5+RkA - 2009.04.05 - 02:28:11GMT 
-

I had to forward this one here.

--- jezreel?X~GLTTHo9aaYtIpGT6OOyBMMFwl3b8LwFu6TUw9Q82E sent via FMS on 
2009-04-05 at 01:31:54GMT ---

Probably not an amazing subject, but FMS is so dead lately so what the 
hell.  Falafel, why do some of the folks posting to Frost hate you so 
much?  In particular Luke771 and VolodyA.  You generally seem like a 
nice identity so I'm just curious.
-- 
jezreel at 
pbxwgrdegrigwuteoz3tc6cfla2xu3trmi2tgr2enfrvi4bxkzlectshfvyw2wcxkrffslccijku4z2om5gtoojrpzdfcolkovtdawjuifigkrcqjbevsvrnla2xotcdpfvw6lkmkzzsyqkrifbucqkf.freemail

;))

- VolodyA! V A at r0pa7z7JA1hAf2xtTt7AKLRe+yw - 2009.04.11 - 
12:11:26GMT -

I should point out i do not hate falafel, i do not know him. I do hate what he 
is doing to Freenet, however. If he was to stop supporting intruduction of 
censorship on Freenet i would not say anything bad about him.

In fact i tend to agree with much of what he has to say on other subjects.

-- 
May all the sentient beings benefit from our conversation.

- Denminkan at DlKKAIKia79j4oVPbgFK4zNh25Y - 2009.04.14 - 16:13:07GMT 
-

Falafel is doing nothing. If a single guy can make the protocol not work, then 
the protocol is shitty from the start and we need to write a new one.

- Anonymous - 2009.04.14 - 20:46:59GMT -

The only shit around here is spewing from the mouths of those who don't 
understand how it works.  No one can stop you from seeing what you want to see. 
 Anyone who tells you otherwise is spreading misinformation.

- Luke771 at CH4jCmDc27eeqm9Cw_WvJu+COIM - 2009.05.04 - 01:01:46GMT 
-


No one can really censor FMS alright, BUT there IS a problem with those 
'censored trust lists' anyway.
The existance of censored trust lists forces users to actively maintain their 
own trust lists, the WoT wont work 'on its own' as it would if everyone used it 
the way it's supposed to.

Let me try to explain: if everyone used wot to block flood attacks and nothing 
else, new users wouldnt need to try and find out which trust lists are 'good', 
they wouldnt need to work on thir trust lists for hours every day, try to spot 
censors or "guys who wont block pedos", they could simply use FMS and 
occasianlly set a high trust for someone they actually trust, or lower the 
trust for someone they caught spamming

But the current situation makes FMS a pain in the ass. Users have to work on 
your trust lists regularly, and new users risk (and probably do) to have some 
of the content blocked by some censor because the guy posted one message on a 
board that the censor found 'immoral'.

It may take time until the new user figures out which trust lists to use, and 
there's a very real risk that he would think that it isnt worth the hassle and 
give up on FMS completely.
I did that, others did that, and more will.

THAT is the real problem with the Little Brothers, not their non-existent 
ability to censor content. they cant censor anything and they know it. But they 
can and do make FMS a pain in the ass to use.

Another problem is that, assuming that the fms community will survive (which i 
dontthink it will), it my end up split into a number of closed sub-communities 
that refuse to talk to each other. But this is only a guess, so far. We'll have 
to see how it turns out.

In the meantime, making FMS into a PITa has been done already, that is why FMS 
is as good as dead, and that's why I think that invesiting develpers' time and 
effort into WoT and Freetalk is a huge waste: FMS failed because of human 
stupidity and arrogance, and so will Freetalk/WoT, and I really cant understand 
why the devs cant see the obvious (or refuse to admit it)

BTW, I dont hate Falafel. Hate costs energy. A lot of it.
-- 
FAFS - the Freenet Applications FreeSite
USK at 
ugb~uuscsidMI-Ze8laZe~o3BUIb3S50i25RIwDH99M,9T20t3xoG-dQfMO94LGOl9AxRTkaz~TykFY-voqaTQI,AQACAAE/FAFS/47/

-Don't think out of the box: destroy it!-