[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] registration for youtube, gmail over Tor - fake voicemail / sms anyone?



> Although it's not an ideal situation, a few days ago a Google employee
> posted regarding access via Tor:
>
> https://lists.torproject.org/pipermail/tor-talk/2012-October/025923.html

Hi, I'm that employee.

That post is specifically about login to existing accounts that were
created outside of Tor.

We have a policy of phone verifying every signup via anonymizing
proxies. If you signed up via Tor and didn't get asked to phone verify
it means the list of exit nodes we're using isn't up to date, or there
was a sync issue. Or you used an exit node that isn't in the list for
some reason. We use this one:
http://exitlist.torproject.org/exit-addresses

We appreciate the offer to solve 1000 CAPTCHAs. Unfortunately the cost
of 1000 CAPTCHAs is only about $1 on the open market, not exactly a
high bar.

The need for phone verification is unfortunate but real. If we had a
better way to throttle abuse we'd use it. Unfortunately we don't. In
the past I've researched and suggested using deposits of Bitcoin so we
could set the price of an account in a more nuanced way, see here for
a description of how it'd work:

  https://en.bitcoin.it/wiki/Contracts#Example_1:_Providing_a_deposit

(bitcoin is my 20% project)

For a variety of practical reasons I don't think that'll happen for
Google accounts anytime soon, even assuming the software for it
existed, which it doesn't yet. But I think it'd be great if people who
are interested in making Tor usable with abusable services worked on
the Bitcoin approach. I'd start by integrating with MediaWiki,
blogging platforms etc, forum software etc, so if people want to run
wikis/forums/blogs as hidden services or otherwise they have a way to
make spam expensive without using the proxy of identity.

Of course it does move the problem to be "how can I acquire Bitcoin?"
but you get unlinkability. Even if the Bitcoin seller you used knows
your identity, the recipient of the coins does not.

So I'm afraid we don't have a good solution for people who want to
sign up to Google anonymously today beyond buying accounts and getting
unlinkability that way, but as I said, that's against our terms of
service and can easily be confused with abuse so it's somewhat
dangerous.

thanks
-mike
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk