[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor and Google error / CAPTCHAs.

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Tor and Google error / CAPTCHAs.
From: Mirimir <mirimir@xxxxxxxxxx>
Date: Fri, 7 Oct 2016 05:21:19 -0600
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 07 Oct 2016 07:21:45 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1475839283; bh=UNG4W/Lz1joSkZ2RUcmuYvcwxwKv7CAWQyOh2Iz/ZuE=; h=Subject:To:References:From:Date:In-Reply-To:From; b=KGAwbzV7C8A57nThNTKXfX4tJ7zRORFT08R547OJWahWllQ7KnighWegORDS3uHTD Ay+/fy6yI9Ytw1Ue44TIODiQH3uTzaWkTFazO4X13v6iMNpOQQwWM4nYTHCUNeMSPX 3JbWFO6by1Hh1GfRgfzO0MyNh5ow/ra6xAYVFK3o=
In-reply-to: <CAFWeb9Lx1ppCZBtLiVoqyCFePtMg-Ekc0NY6qOP3kHEz0UBxug@mail.gmail.com>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <ce1709ef8059fa3acd6b5c27b079ea81@openmailbox.org> <CAFWeb9LCFQoBLmC_Xsjf7z16cNgtkJjwzoPizCHrgrVpG7_MFQ@mail.gmail.com> <15d4be78-575a-4aff-360b-fa6262d0dd60@gmx.com> <CAFWeb9K4XCy7qALY-tn21Jkyuc6tBx11iF-XcDL5NOAqcWknuQ@mail.gmail.com> <cfb79aae-8acd-0c24-f15b-686094222ee7@riseup.net> <CAFWeb9LVmQQsBAaZoo+-wgVmSVzz5aL-9zFHbxf4ZrO=b9sHmg@mail.gmail.com> <0fc28d83-aa5c-752f-8864-618de3ea8da6@riseup.net> <CAFWeb9Lx1ppCZBtLiVoqyCFePtMg-Ekc0NY6qOP3kHEz0UBxug@mail.gmail.com>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/05/2016 06:11 AM, Alec Muffett wrote:
> Mirimir: Generally I like your suggestions, they are thoughtful,
> and I think you're shooting in the right direction.

Thanks :) I'm stretching to get past my default urge to evade blocks.

> A few observations:
> 
> a) I like the idea of Google giving you "one free search" and from
> that trying to determine whether you are an "asshole" after which
> it lightens up with the oppression; the challenge here is that "one
> free search" is easily exploitable by the "League of Assholes" who
> will create a vast army of "apparently-noob-non-assholes" and
> aggregate across their free searches in order to perform the
> scraping/searching/spamming that they desire.  (Yes, even search
> results are interesting to scrapers, eg: using the Google cache to
> mine e-mail addresses from some third-party website which provides
> open access to GoogleBot but not to normal people.)

I suppose that's possible. But assholes who could manage that might
find it easier to use burner VPS proxies, botnets, or soft botnets
like Hola/Luminati. And maybe evasion by Tor-using assholes is an
acceptable cost for benefits that Tor provides to people at risk.

> b) I am not familiar with Wilders (?) but it sounds quite
> intensively moderated, something that perhaps Reddit also pulls off
> to some extent. Communities can be self-policing (see also
> Wikipedia) but not all communities offer a value proposition where
> self-policing would be a complete solution, eg: I feel that Reddit
> is far less family-friendly than FB.  Also, at FB-like scale,
> self-policing would be really challenging.

Yes, Wilders <https://www.wilderssecurity.com/> is moderated very
intensively. By a hierarchy of trusted volunteers, and administrators.
There is little tolerance for off-topic posts, and zero tolerance for
politics. Reddit, in contrast, is a total free-for-all. I'd say that
Wilders is about as family-friendly as FB :) Even more so than HN.

> c) Further, "graduated access", where the tuple of {you + the means
> which you use to access the site} gaining privilege by being a good
> community member?  That's great, though it is open to "identity
> farming" and "what happens if/when community members who validate
> the new members, themselves go rogue?" - "quis custodiet?", and all
> that stuff.

Yes, going rogue is a huge problem with subreddits. It doesn't happen
on Wilders, because it's much^N smaller, and criteria for trusted
moderators are much stricter. Identity farming is always an issue when
"anonymity" is possible. Wilders has zero tolerance for multiple
accounts, and violators tend to get nuked and their posts deleted.

> d) Finally, to get technical, I like these ideas but I see the
> challenges of convincing social networks to implement the code to
> support such graduated access, and to factor in the use of Proxy
> Networks such as Tor, will require greater awareness of how to
> address issues b) and c) above, plus for Tor to be popular enough
> that folk consider it worthwhile to address in this way.
> 
> This all strikes me as a massive bootstrap challenge.  Not
> impossible, but hard and long-term.

Yes, that's the hardest problem. Why do sites care about the
relatively small share of users that want pseudonymous and/or
location-obscured access? FB has a Tor onion site, but they still want
to know who you are, and you still need a mobile account for text
authentication.

Maybe worse, even setting aside the needs of worthy users, the arms
race between assholes and their targets is clearly escalating, and Tor
exit operators are getting caught in the crossfire. Ironically, in
recent discussion on the tor-relays list, some have argued that it's
website owners who are responsible for blocking abuse. And if they
can't manage that, they should just block access from Tor exits ;)

Based on my reading of tor-relays over the past few years, within 2-5
years it will be virtually impossible to find hosting for exit relays.
Unless, that is, they manage to block abusive traffic. And that would
be a fundamental break with Tor's laissez faire tradition.

So yes, hard times are coming, I fear.

> -a
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJX94UrAAoJEGINZVEXwuQ+38gH/j6D3Ypqkm8qal8guwAbZsm7
ofTt5DAbSEaegju3WuA+9ItINWGKGTzeAoL91Lq+pM6ezLvPf8US9BbUukOVEP7j
atT7NExCXc4kocsFkCHENLVPdYI0oBz5H7BpF+tTrvirEPLMSDJLAYIoyvYPSOS+
O7Z3CLj/KcflbBMR7qwY9iCyXHEp98xPfTKOI+Y0ibKqeSrc+rFDk6JI6umFgaNh
DEBELCV7tuGibaOo15FrMgmeiUeWmJ4iNu3BSY/bbAIlYXTCn8PFwjioMznOrrua
q6G6kdP6rlJtghMfIdNiu7a1tkEW5D5fuOvmWxBOL78cGAEIi1zVV376ExyXL44=
=xxat
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Tor and Google error / CAPTCHAs.
  - From: Alec Muffett
- Re: [tor-talk] Tor and Google error / CAPTCHAs.
  - From: Jon Tullett

References:
- [tor-talk] Tor and Google error / CAPTCHAs.
  - From: bancfc
- Re: [tor-talk] Tor and Google error / CAPTCHAs.
  - From: Alec Muffett
- Re: [tor-talk] Tor and Google error / CAPTCHAs.
  - From: Joe Btfsplk
- Re: [tor-talk] Tor and Google error / CAPTCHAs.
  - From: Alec Muffett
- Re: [tor-talk] Tor and Google error / CAPTCHAs.
  - From: Mirimir
- Re: [tor-talk] Tor and Google error / CAPTCHAs.
  - From: Alec Muffett
- Re: [tor-talk] Tor and Google error / CAPTCHAs.
  - From: Mirimir
- Re: [tor-talk] Tor and Google error / CAPTCHAs.
  - From: Alec Muffett

Prev by Author: Re: [tor-talk] Tor and Google error / CAPTCHAs.
Next by Author: Re: [tor-talk] Quote Line Prefixes in Linux Text Editors
Previous by thread: Re: [tor-talk] Tor and Google error / CAPTCHAs.
Next by thread: Re: [tor-talk] Tor and Google error / CAPTCHAs.
Index(es):
- Author
- Thread