[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] CloudFlare

Gregory Maxwell:
> On Thu, Apr 18, 2013 at 2:57 PM, Jacob Appelbaum <jacob@xxxxxxxxxxxxx> wrote:
>> It is possible to request a special flag on a Wikipedia account that is
>> granted by way of some special handshake. It is possible to take an
>> already created account and use it for edits as the flag overrides the
>> Tor block.
> The flag is called ipblock-exempt

Right - it might make sense to make a second flag - anonymity-allowed
and set it to true for everyone until they abuse it.

> You can see the the list of uses on english wikipedia that have it here:
> http://en.wikipedia.org/w/index.php?title=Special%3AListUsers&username=&group=ipblock-exempt&limit=500
> (bot accounts and administrators also inherit this ability without the
> ipblock-exempt flag)

That page is a very predictable side effect of having a flag for people
with strong need for privacy. I guess we know which Wikipedia users are
valuable or doing something interesting, right? o_0

> (As an aside, your own account was previously flagged this way, (by
> Wikimedia's chairman of the board), but the flag has since been
> removed because your account has been inactive:
> http://en.wikipedia.org/w/index.php?title=Special%3ALog&type=&user=&page=User%3AIoerror&year=&month=-1&tagfilter=
> )

I did not know that the flag times out - that is rather sad - privacy is
automatically removed, even for people who don't abuse it? Is there any
way to get it back? Or do I now have to deanonymize myself again and
attempt some other secret handshakes? :(

> [snip]
>> I think we should ensure that Wikipedia understands that the account was
>> created with Tor and that the user may be using this to circumvent
>> censorship, to protect what they are reading or editing from their local
>> network censors or surveillance regime as well as to protect IP address
>> information that the US currently doesn't really protect (see USA vs.
>> Appelbaum; re: my Twitter case). Since the US can see a lot of the
>> traffic to Wikipedia, I'd guess that this is important worldwide.
> I've been generally unable to convince people that surveillance of
> Wikipedia access is both happening and actually important. The people
> participating in the creation and administration Wikipedia (and
> likewise those employed by the Wikimedia foundation) enjoy the
> privileged of having the greatest intellectual freedom that has ever
> been enjoyed by anyone anywhere. This is unsurprising: People without
> substantial freedom of all kinds are not the most likely to go about
> assembling a Free Encyclopedia. Like any other privileged it's not
> always obvious to the beholder.

I know a few people that work/ed at the Wikimedia and they did not
suffer from such blindness. I think though that the best retort to
claims that it isn't happening is actually found on the Wikipedia
servers themselves:


I seem to remember the full list of proxies:


> The idea that someone's Wikipedia editing (or, much less _reading_)
> habits might be highly private and personal and likely to cause harm
> if monitored isn't really appreciated by people who really find that
> kind of monitoring hard to believe (even, ironically, when it's
> currently happening to themâ the illusion of intellectual freedom is
> greater than the actual intellectual freedom)

How could anyone suggest that they do not have massive user surveillance
with such a huge list of proxies *in their own source code* tree?

Here is the list again:


> I was unsuccessful in the last major datacenter reworking convincing
> the technical staff to adopt an architecture which could reasonably
> scale to supporting SSL always on for all readers (one where SSL
> wasn't handled by a separate cluster but was instead run in parallel
> on the existing non-ssl frontends).

I'm sorry to hear that.

> Unfortunately, I think it will probably take someone being killed for
> reasons considered unjust by western standards before the considerable
> expenditure necessary to HSTS the entire site will be justified.
> Pressure on this front needs to come from activists, not from
> technology people.

I tend to agree. Though I'd be happy to give a talk at a brown bag lunch
or something, if it would help.

>> A workable solution would be to continue to use such a list to detect
>> Tor usage and then to ensure that we now allow new accounts to be
>> created over Tor. The MediaWiki should ensure that HSTS is sent to the
>> user and that the user only ever uses HTTPS to connect to Wikipedia.
> Account creation via tor is explicitly and intentionally disabled.

I remember, I'm sad to hear that this hasn't changed.

>> If the user is abusive and an IP block would normally apply, Wikipedia
>> would not block by IP but would rather use the normal Wikipedia process
>> to resolve disputes (in edits, discussions, etc)
> The blocking of tor (and other IP) addresses is never intended to be a
> part of the regular "disagreeable behavior for otherwise well meaning
> and sane contributors" process. It doesn't aid in that process.
> In theory blocking is really only a measure against people who are
> malicious or (temporarily?) mentally ill.  Wikipedia will try to
> reason you out of doing something, and if that fails, _tell_ you to
> stop doing something, and then only block you if you don't listen.

That is very frustrating indeed.

>> and if the account is
>> just being used for automated jerk behavior, I think it would be
>> reasonable to lock the account, perhaps even forcing the user to solve a
>> captcha, or whatever other process is used when accounts are abused in
>> an automated fashion.
> Mostly the really automated behavior is not that huge of an issueâ the
> thousands of wiki administrators have access sophisticated  to
> automated behavioral blocking tools (I think the rule expression
> language in abusefilter is turing complete), account creation requires
> solving a captcha... and marketers have discovered that spamming
> Wikipedia can have certain unexpected negative effects once caught
> (like completely disappearing from search engine indexes), so only
> idiot marketers spam overtly.

That is an interesting data point, thanks.

> But what is an issue is an issue is _non-automated_ or semi-automated
> jerk behavior.  A single bored kid or irate mentally ill person can
> easily fully saturate the time of ten or more Wikipedia volunteer
> editors with a barrage of fake identities making subtle undermining
> edits or over massive scale one time automated attacks. To some people
> this kind of thing is just a really excellent MMORPG, this is, no
> doubt, amplified by the fact that most of the sites operation is
> conspicuously performed by human hands and minds. Much of the bad
> behavior is benign but time consuming, though some is quite concerning
> and violent (e.g. blasting pages with images of child porn mixed with
> photos of contributors children).  Beyond the pure time consumption,
> it is demoralizing and dehumanizing to the volunteer editors to
> constantly be non-consensually made a target in some jerks MMORPG-fun.

I find it strange that so much human time may *only* be saved by an ip
address. I mean, nymbler and other systems solve this problem for a
given user and I can't imagine that there aren't common patterns of
abuse that would say, leave a non-jerk, tor user out of their database

I'm with you that bad behavior exists - I also feel like by blocking
Tor, we find ourselves in a position where regular people have basically
no options and the jerks will often be one step ahead.

As a classic example, I didn't realize the flag had been lifted from my
account and I was without my normal computing environment. I did however
want to correct a mistake on a page - so I used Tor to reach a third
system and performed my edit routing through the third system.

It was such a pain to have to use a third system and boy, if you think
Tor is slow, try using Tor to bounce to another system just to edit the
Wikipedia! Ouch!

> There aren't many of these jerks, howeverâ I'd guess that for any
> major language there are only dozen or so world wide any any time
> (they either change obsessions, grow out of it, or end up incarcerated
> (no kidding), so they seem to be constantly shifting).  Because of
> this aggressively blocking every IP address they have access to is
> actually _quite_ effective.  You eventually get all the networks they
> have ready access too (in some cases where the problem has come from
> an institution, Wikipedians have traded blocking the whole institution
> for eliminating the problem with disciplinary action), including
> whatever open wifi they can easily reach... the first one to have paid
> for botnet access gets the botnet largely blocked and so on.  It's
> demonstratively effective... and in cases where overbroad blocks hit
> established users, they can be exempted on an account by account
> basis.

That seems reasonable in a sense. I'd say that I'd like to see an
automatic expiration for any such block; I'd also say that any user who
is logged in and *known* to be "good" should automatically be exempt.
Does that seem reasonable or has this been tried only to end in tears?

> So if creating an account that can edit via tor is as simple as
> solving a captcha then it will be impossible to stop these abusive
> peopleâ they will happily pipeline out account creation as fast as
> whatever rate-limiters will allow them, jump through whatever hoops,
> they have nearly unbounded time and motivation ... and then they can
> continue to victimize Wikipedia contributors (and readers, though the
> readers don't seem to take bad information of Wikipedia personally)
> without consequence.

I think that in such a case, we'd want to deploy a system like Nymbler
rather than a captcha - so that an abusive user's edits could be
reverted in a way that doesn't harm everyone or discriminate entire
classes of users.

> Sometimes you can be victimized by forces outside of your control and
> there is just nothing you can really do about it.  But thats not the
> case here, blocking every proxy the jerks use _works_. It has
> collateral damage of unknown magnitude, but the part that is
> specifically known can be largely solved with exemptions. The harm it
> solves is insanely salient: the jerks rub your face in their success,
> the harm is causes is invisible (since the visible parts get solved
> with exemptions).

Sure, I understand. I find it pretty sad all around too.

>> Most of that isn't technical - it is a matter of accepting that some of
>> us are not free. Some of us who are not free require systems like Tor to
>> participate in the Free Culture community curated by the Wikipedia
>> community on Wikipedia. Some of us will then be free to be part of that
>> community and perhaps, if we work smartly, other freedoms will follow
>> from the knowledge of the community.
> There are so many hurdles to equitable participation: Access to
> computers, _literacy_, educational differentials, perceived societal
> roles, social norms within the community making some people feel like
> outsiders ...  the people excluded because they are not free and for
> whom the exemption process is inadequate seem like something of a
> rounding error by comparisonâ especially to people who find that whole
> not-freeness thing to be a kind of vague and distant concept.  Doubly
> so when it's easy to ignore the importance of participating in that
> culture and say "for your own protection, if editing Wikipedia would
> put you in danger we prefer you to not do it!"

I agree - I find it pretty sad that Wikipedia is creating more of them
in an almost unique manner. I also acknowledge at the very same time
that Wikipedia is helping to improve the world and I understand that
there is a balance to be struck.

How many people have their access to Wikipedia censored? How many try to
edit once they find a way around the censorship and are stopped? It is
hard to measure these things and as a result, censorship wins again.

All the best,
tor-talk mailing list