Re: [tor-talk] Wikimedia and Tor

["Derric Atzrott" <datzrott@xxxxxxxxxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> With Tor soft-blocked, this problem goes away. What am I missing?

I'm not sure if you are saying "Tor is soft-blocked, so what is the
problem?" or "If we soft-blocked Tor there would be no problem." So
I'm going to attempt to address both.

==Tor is soft-blocked==
Tor is not currently soft-blocked.  It is hard-blocked along with
all other anonymising services that we have been able to find.
This means that if you want to edit any Wikimedia project and you
want to use Tor to do it you need:

* An already existing account at Wikimedia
* Be either an Admin or have been given an IP Block Exemption

Getting a Wikimedia account isn't hard, even through Tor.  The
second item though is prohibitively hard.  Becoming an admin takes
multiple years for many people, and getting an IPBE has the
unofficial requirements of having been around a long time (think
months to years), having made significant contributions, and having
a demonstrated need.

During the time that you are trying to fulfill those requirements
you are editing without the use of Tor.  This exposes the identity
attached to the account and makes it non-anonymous even when you
do use Tor, though using Tor would still likely provide some
benefit if you needed to hide your location but not your real life
identity.

The current situation with Tor hard-blocked makes it near impossible
to realistically edit Wikimedia projects using Tor without exposing
your identity.

==Tor could be soft-blocked==
Imagine the following scenario: You get blocked on Wikipedia for
being abusive in a discussion.  You open up Tor, create a new
email address somewhere, email in requesting an account so you can
edit via Tor, get the account, go back to making someone's life
miserable.  You can repeat this as many times as needed until they
finally quit the project and you are victorious.

Or this scenario: There is a discussion going on about whether or
not to include a particular piece of embarassing information in
an article about a particular person.  There are pretty much good
arguments on both sides of the discussion so its going to come down
to how many folk support those arguments.  The opinion you have is
in the minority, but not to worry, you just, over the next two or
three days, request a number of account be made and use those
accounts to pitch your support for your preferred idea.

Both of these would be fairly easy to detect, but they still waste
valuable time and energy of folks, and both are easily expanded
upon to be more effective.

For scenario one: Make some of those accounts ahead of
time, make a few good edits with them just to confuse folks later,
and then just let them lie dormant until you need them.

For scenario two: Make a few accounts slowly and keep them active.
Then use them to sway discussions in one way or another.  This
would be really hard to detect, or at least prove, with Tor.

Both of those enhancements already happen, but with Tor they
would be signficantly harder to detect and block because of the
lack of useful IP address information and the inability to
hard-block Tor without hard-blocking all of Tor, which in the
end is what was decided to be done to fix the problem.

If we can find a way to make it expensive for those sorts of
folks to create new accounts, expensive enough to deter all but
the most crazy of the puppeteers, while still cheap enough to not
deter that guy in Super-Evil-Regime, then I think that there may be
some hope of changing the culture that says "Tor leads to nothing
but trouble."

By soft-blocking Tor instead of hard-blocking Tor, without any
additional measures in place, we may be opening the flood gates to
all manner of easily conceived abuse.

I liked the GPG idea, and brought it back to Wikitech-l. I'll let
you guys know if anyone there finds a way to completely break it.

Thank you,
Derric Atzrott
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFULUpqRHoDdZBwKDgRAvocAKCtpwPsOyibphrfawcPW2sn1BlItgCaA0mL
iXqzJetpG4hIfVuWpcIrWo8=
=1uyC
-----END PGP SIGNATURE-----

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk