[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Hello directly from Jimbo at Wikipedia
On Tue, Sep 27, 2005 at 01:46:13PM -0400, Jimmy Wales wrote:
> I'd like to say thanks for the invitation to join this dialogue.
> Let me tell you what I love. I love the Chinese dissident who wants to
> work on Wikipedia articles in safety. I love that Wikipedia is an open
> platform that allows people to have that voice, and that we can have a
> positive impact on the world in large part because we don't bow to
> censorship and we are willing to reach out and work with people like Tor
> to empower individuals to speak, no matter what sort of oppressive
> conditions they face.
> WE ARE ON THE SAME SIDE.
Agreed. And glad to struggle to common understanding as long as good
faith seems to be coming from both sides (which to date it mostly does
despite mutual frustration).
> "I share frustrations that the statements attributed to Jimmy Wales in
> the record below and in previous messages seem to show some fundamental
> misunderstandings and willful ignorance of Tor, and more broadly of
> identity, identifiers, reputation, authentication, etc. in open
> network communications"
> Willful ignorance? Not at all.
OK. I was letting out some frustration there. One of the main reasons
for this is the raising of the standard spam red herring. You appear
to have raised it again below, and I still don't understand why. I
take spam to mean the mass sending of unsolicited email. I don't want
to get into quibbles about 'commercial' or criteria for what counts as
solicited. But this does not seem to be what you are talking about at
When we first designed and fielded Tor, we decided that even though it
would be a lousy delivery vehicle for spam, we would set a default to
block port 25 (the only avenue over which spam has been sent at least
at the time). Even though this reduced functionality for legitimate
users and had just about no effect on spammers, we didn't have to
explain subtleties. We could just say, "It cannot be used for
spam. Period." But many, e.g., the SORBS people, seem to just not care
about the facts. You say below that you deal with it [spam] regularly,
but how does blocking Tor servers (more properly, any and all that
share an IP address with a Tor server) from posting on your web
interface reduce the amount of unsolicited email you receive? I'm not
trying to bait you here. It's just that we are always saying Tor isn't
used for spam and is designed to be especially spam unfriendly, and no
one ever provides a shred of evidence to the contrary. I honestly
don't understand how anyone could bring up spam unless they were
willfully ignorant of Tor design and deployment strategy. That's
why I said what I did. But let's get past the strong wordings.
When you bring up spam coming over Tor to Wikipedia, what sorts
of traffic specifically are you talking about.
> What I know is that we are forced to
> block Tor servers regularly due to persistent vandalism. That's a sad
> fact to me. It's a difficult thing for those of us who are serious
> about these issues. But the really sad thing is when elements of the
> Tor community are not willing to face up to this as a legitimate and
> difficult problem.
I don't claim to speak for the community. But as the originator of the
underlying Onion Routing concept, and as one of the designers of Tor,
I can tell you that we are aware of the tradeoffs. We discussed them
in our "Challenges in deploying low-latency anonymity" paper. I quote
the relevant section from that paper.
It was long expected that, alongside legitimate users, Tor would
also attract troublemakers who exploit Tor to abuse services on the
Internet with vandalism, rude mail, and so on. Our initial answer
to this situation was to use ``exit policies'' to allow individual
Tor nodes to block access to specific IP/port ranges. This
approach aims to make operators more willing to run Tor by allowing
them to prevent their nodes from being used for abusing particular
services. For example, all Tor nodes currently block SMTP (port
25), to avoid being used for spam.
Exit policies are useful, but they are insufficient: if not all
nodes block a given service, that service may try to block Tor
instead. While being blockable is important to being good
netizens, we would like to encourage services to allow anonymous
access. Services should not need to decide between blocking
legitimate anonymous use and allowing unlimited abuse.
This is potentially a bigger problem than it may appear. On the
one hand, services should be allowed to refuse connections from
sources of possible abuse. But when a Tor node administrator
decides whether he prefers to be able to post to Wikipedia from his
IP address, or to allow people to read Wikipedia anonymously
through his Tor node, he is making the decision for others as
well. (For a while, Wikipedia blocked all posting from all Tor
nodes based on IP addresses.) If the Tor node shares an address
with a campus or corporate NAT, then the decision can prevent the
entire population from posting. This is a loss for both Tor and
Wikipedia: we don't want to compete for (or divvy up) the
NAT-protected entities of the world.
Worse, many IP blacklists are coarse-grained: they ignore Tor's
exit policies, partly because it's easier to implement and partly
so they can punish all Tor nodes. One IP blacklist even bans every
class C network that contains a Tor node, and recommends banning
SMTP from these networks even though Tor does not allow SMTP at
all. This strategic decision aims to discourage the operation of
anything resembling an open proxy by encouraging its neighbors to
shut it down to get unblocked themselves. This pressure even
affects Tor nodes running in middleman mode (disallowing all exits)
when those nodes are blacklisted too.
Problems of abuse occur mainly with services such as IRC networks
and Wikipedia, which rely on IP blocking to ban abusive users.
While at first blush this practice might seem to depend on the
anachronistic assumption that each IP is an identifier for a single
user, it is actually more reasonable in practice: it assumes that
non-proxy IPs are a costly resource, and that an abuser can not
change IPs at will. By blocking IPs which are used by Tor nodes,
open proxies, and service abusers, these systems hope to make
ongoing abuse difficult. Although the system is imperfect, it
works tolerably well for them in practice.
Of course, we would prefer that legitimate anonymous users be able
to access abuse-prone services. One conceivable approach would
require would-be IRC users, for instance, to register accounts if
they want to access the IRC network from Tor. In practice this
would not significantly impede abuse if creating new accounts were
easily automatable; this is why services use IP blocking. To deter
abuse, pseudonymous identities need to require a significant
switching cost in resources or human time. Some popular webmail
applications impose cost with Reverse Turing Tests, but this step
may not deter all abusers. Freedom used blind signatures to limit
the number of pseudonyms for each paying account, but Tor has
neither the ability nor the desire to collect payment.
We stress that as far as we can tell, most Tor uses are not
abusive. Most services have not complained, and others are actively
working to find ways besides banning to cope with the abuse. For
example, the Freenode IRC network had a problem with a coordinated
group of abusers joining channels and subtly taking over the
conversation; but when they labelled all users coming from Tor IPs
as ``anonymous users,'' removing the ability of the abusers to
blend in, the abuse stopped.
> "everyone is so worried about it, but has any one ever been successfully
> been able to use tor to effectively spam anyone?"
> Yes, of course! We deal with it constantly. We have an effective means
> of dealing with it: we block Tor servers from editing wikipedia. But is
> that what any of us want?
Huh? See above.
> "Misbehaviour is in the eye of the observer, however."
> No, actually it isn't. There is such a thing as objectively
> identifiable malicious behavior. We aren't Chinese censors here. We're
> the good guys. We want to work with you.
> Yes, we could implement tight security to only allow people who identify
> themselves (perhaps we'll require a credit card number, someone
> suggests?)... but *cough*, aren't we supposed to care about privacy here?
Yes we are, but that's not the only security you could implement, and
I hope no one would suggest it. But getting someone else's IP address
is no harder than getting someone else's credit card number. In fact
much easier since they are explicitly not unique to individual people
most of the time, and there are even less attempts to protect them
than to protect credit card numbers. I think I can safely speak for
the main Tor developers and designers when I say that We would be glad
to work with you to develop Tor-compatible authentication mechanisms
that are more appropriate qua authentication mechanisms than you now
have. And you can rest assured that we would be at least as concerned
about protecting the identity of those using it as you would be.