On Thu, Apr 18, 2013 at 2:57 PM, Jacob Appelbaum <[email protected]> wrote: > It is possible to request a special flag on a Wikipedia account that is > granted by way of some special handshake. It is possible to take an > already created account and use it for edits as the flag overrides the > Tor block.
The flag is called ipblock-exempt You can see the the list of uses on english wikipedia that have it here: http://en.wikipedia.org/w/index.php?title=Special%3AListUsers&username=&group=ipblock-exempt&limit=500 (bot accounts and administrators also inherit this ability without the ipblock-exempt flag) (As an aside, your own account was previously flagged this way, (by Wikimedia's chairman of the board), but the flag has since been removed because your account has been inactive: http://en.wikipedia.org/w/index.php?title=Special%3ALog&type=&user=&page=User%3AIoerror&year=&month=-1&tagfilter= ) [snip] > I think we should ensure that Wikipedia understands that the account was > created with Tor and that the user may be using this to circumvent > censorship, to protect what they are reading or editing from their local > network censors or surveillance regime as well as to protect IP address > information that the US currently doesn't really protect (see USA vs. > Appelbaum; re: my Twitter case). Since the US can see a lot of the > traffic to Wikipedia, I'd guess that this is important worldwide. I've been generally unable to convince people that surveillance of Wikipedia access is both happening and actually important. The people participating in the creation and administration Wikipedia (and likewise those employed by the Wikimedia foundation) enjoy the privileged of having the greatest intellectual freedom that has ever been enjoyed by anyone anywhere. This is unsurprising: People without substantial freedom of all kinds are not the most likely to go about assembling a Free Encyclopedia. Like any other privileged it's not always obvious to the beholder. The idea that someone's Wikipedia editing (or, much less _reading_) habits might be highly private and personal and likely to cause harm if monitored isn't really appreciated by people who really find that kind of monitoring hard to believe (even, ironically, when it's currently happening to them— the illusion of intellectual freedom is greater than the actual intellectual freedom) I was unsuccessful in the last major datacenter reworking convincing the technical staff to adopt an architecture which could reasonably scale to supporting SSL always on for all readers (one where SSL wasn't handled by a separate cluster but was instead run in parallel on the existing non-ssl frontends). Unfortunately, I think it will probably take someone being killed for reasons considered unjust by western standards before the considerable expenditure necessary to HSTS the entire site will be justified. Pressure on this front needs to come from activists, not from technology people. > A workable solution would be to continue to use such a list to detect > Tor usage and then to ensure that we now allow new accounts to be > created over Tor. The MediaWiki should ensure that HSTS is sent to the > user and that the user only ever uses HTTPS to connect to Wikipedia. Account creation via tor is explicitly and intentionally disabled. > If the user is abusive and an IP block would normally apply, Wikipedia > would not block by IP but would rather use the normal Wikipedia process > to resolve disputes (in edits, discussions, etc) The blocking of tor (and other IP) addresses is never intended to be a part of the regular "disagreeable behavior for otherwise well meaning and sane contributors" process. It doesn't aid in that process. In theory blocking is really only a measure against people who are malicious or (temporarily?) mentally ill. Wikipedia will try to reason you out of doing something, and if that fails, _tell_ you to stop doing something, and then only block you if you don't listen. > and if the account is > just being used for automated jerk behavior, I think it would be > reasonable to lock the account, perhaps even forcing the user to solve a > captcha, or whatever other process is used when accounts are abused in > an automated fashion. Mostly the really automated behavior is not that huge of an issue— the thousands of wiki administrators have access sophisticated to automated behavioral blocking tools (I think the rule expression language in abusefilter is turing complete), account creation requires solving a captcha... and marketers have discovered that spamming Wikipedia can have certain unexpected negative effects once caught (like completely disappearing from search engine indexes), so only idiot marketers spam overtly. But what is an issue is an issue is _non-automated_ or semi-automated jerk behavior. A single bored kid or irate mentally ill person can easily fully saturate the time of ten or more Wikipedia volunteer editors with a barrage of fake identities making subtle undermining edits or over massive scale one time automated attacks. To some people this kind of thing is just a really excellent MMORPG, this is, no doubt, amplified by the fact that most of the sites operation is conspicuously performed by human hands and minds. Much of the bad behavior is benign but time consuming, though some is quite concerning and violent (e.g. blasting pages with images of child porn mixed with photos of contributors children). Beyond the pure time consumption, it is demoralizing and dehumanizing to the volunteer editors to constantly be non-consensually made a target in some jerks MMORPG-fun. There aren't many of these jerks, however— I'd guess that for any major language there are only dozen or so world wide any any time (they either change obsessions, grow out of it, or end up incarcerated (no kidding), so they seem to be constantly shifting). Because of this aggressively blocking every IP address they have access to is actually _quite_ effective. You eventually get all the networks they have ready access too (in some cases where the problem has come from an institution, Wikipedians have traded blocking the whole institution for eliminating the problem with disciplinary action), including whatever open wifi they can easily reach... the first one to have paid for botnet access gets the botnet largely blocked and so on. It's demonstratively effective... and in cases where overbroad blocks hit established users, they can be exempted on an account by account basis. So if creating an account that can edit via tor is as simple as solving a captcha then it will be impossible to stop these abusive people— they will happily pipeline out account creation as fast as whatever rate-limiters will allow them, jump through whatever hoops, they have nearly unbounded time and motivation ... and then they can continue to victimize Wikipedia contributors (and readers, though the readers don't seem to take bad information of Wikipedia personally) without consequence. Sometimes you can be victimized by forces outside of your control and there is just nothing you can really do about it. But thats not the case here, blocking every proxy the jerks use _works_. It has collateral damage of unknown magnitude, but the part that is specifically known can be largely solved with exemptions. The harm it solves is insanely salient: the jerks rub your face in their success, the harm is causes is invisible (since the visible parts get solved with exemptions). > Most of that isn't technical - it is a matter of accepting that some of > us are not free. Some of us who are not free require systems like Tor to > participate in the Free Culture community curated by the Wikipedia > community on Wikipedia. Some of us will then be free to be part of that > community and perhaps, if we work smartly, other freedoms will follow > from the knowledge of the community. There are so many hurdles to equitable participation: Access to computers, _literacy_, educational differentials, perceived societal roles, social norms within the community making some people feel like outsiders ... the people excluded because they are not free and for whom the exemption process is inadequate seem like something of a rounding error by comparison— especially to people who find that whole not-freeness thing to be a kind of vague and distant concept. Doubly so when it's easy to ignore the importance of participating in that culture and say "for your own protection, if editing Wikipedia would put you in danger we prefer you to not do it!" _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
