Re: Hello directly from Jimbo at Wikipedia

[Paul Syverson <syverson@xxxxxxxxxxxxxxxx>]

On Tue, Sep 27, 2005 at 01:46:13PM -0400, Jimmy Wales wrote:
> I'd like to say thanks for the invitation to join this dialogue.
> 
> Let me tell you what I love.  I love the Chinese dissident who wants to
> work on Wikipedia articles in safety.  I love that Wikipedia is an open
> platform that allows people to have that voice, and that we can have a
> positive impact on the world in large part because we don't bow to
> censorship and we are willing to reach out and work with people like Tor
> to empower individuals to speak, no matter what sort of oppressive
> conditions they face.
> 
> WE ARE ON THE SAME SIDE.
> 

Agreed. And glad to struggle to common understanding as long as good
faith seems to be coming from both sides (which to date it mostly does
despite mutual frustration).

> 
> "I share frustrations that the statements attributed to Jimmy Wales in
> the record below and in previous messages seem to show some fundamental
> misunderstandings and willful ignorance of Tor, and more broadly of
> identity, identifiers, reputation, authentication, etc. in open
> network communications"
> 
> Willful ignorance?  Not at all.

OK. I was letting out some frustration there. One of the main reasons
for this is the raising of the standard spam red herring. You appear
to have raised it again below, and I still don't understand why.  I
take spam to mean the mass sending of unsolicited email. I don't want
to get into quibbles about 'commercial' or criteria for what counts as
solicited. But this does not seem to be what you are talking about at
all.

When we first designed and fielded Tor, we decided that even though it
would be a lousy delivery vehicle for spam, we would set a default to
block port 25 (the only avenue over which spam has been sent at least
at the time). Even though this reduced functionality for legitimate
users and had just about no effect on spammers, we didn't have to
explain subtleties. We could just say, "It cannot be used for
spam. Period." But many, e.g., the SORBS people, seem to just not care
about the facts. You say below that you deal with it [spam] regularly,
but how does blocking Tor servers (more properly, any and all that
share an IP address with a Tor server) from posting on your web
interface reduce the amount of unsolicited email you receive? I'm not
trying to bait you here. It's just that we are always saying Tor isn't
used for spam and is designed to be especially spam unfriendly, and no
one ever provides a shred of evidence to the contrary.  I honestly
don't understand how anyone could bring up spam unless they were
willfully ignorant of Tor design and deployment strategy. That's
why I said what I did. But let's get past the strong wordings.
When you bring up spam coming over Tor to Wikipedia, what sorts
of traffic specifically are you talking about.

>  What I know is that we are forced to
> block Tor servers regularly due to persistent vandalism.  That's a sad
> fact to me.  It's a difficult thing for those of us who are serious
> about these issues.  But the really sad thing is when elements of the
> Tor community are not willing to face up to this as a legitimate and
> difficult problem.
> 

I don't claim to speak for the community. But as the originator of the
underlying Onion Routing concept, and as one of the designers of Tor,
I can tell you that we are aware of the tradeoffs. We discussed them
in our "Challenges in deploying low-latency anonymity" paper.  I quote
the relevant section from that paper.

   It was long expected that, alongside legitimate users, Tor would
   also attract troublemakers who exploit Tor to abuse services on the
   Internet with vandalism, rude mail, and so on.  Our initial answer
   to this situation was to use ``exit policies'' to allow individual
   Tor nodes to block access to specific IP/port ranges.  This
   approach aims to make operators more willing to run Tor by allowing
   them to prevent their nodes from being used for abusing particular
   services.  For example, all Tor nodes currently block SMTP (port
   25), to avoid being used for spam.

   Exit policies are useful, but they are insufficient: if not all
   nodes block a given service, that service may try to block Tor
   instead.  While being blockable is important to being good
   netizens, we would like to encourage services to allow anonymous
   access. Services should not need to decide between blocking
   legitimate anonymous use and allowing unlimited abuse.

   This is potentially a bigger problem than it may appear.  On the
   one hand, services should be allowed to refuse connections from
   sources of possible abuse.  But when a Tor node administrator
   decides whether he prefers to be able to post to Wikipedia from his
   IP address, or to allow people to read Wikipedia anonymously
   through his Tor node, he is making the decision for others as
   well. (For a while, Wikipedia blocked all posting from all Tor
   nodes based on IP addresses.) If the Tor node shares an address
   with a campus or corporate NAT, then the decision can prevent the
   entire population from posting.  This is a loss for both Tor and
   Wikipedia: we don't want to compete for (or divvy up) the
   NAT-protected entities of the world.

   Worse, many IP blacklists are coarse-grained: they ignore Tor's
   exit policies, partly because it's easier to implement and partly
   so they can punish all Tor nodes. One IP blacklist even bans every
   class C network that contains a Tor node, and recommends banning
   SMTP from these networks even though Tor does not allow SMTP at
   all.  This strategic decision aims to discourage the operation of
   anything resembling an open proxy by encouraging its neighbors to
   shut it down to get unblocked themselves. This pressure even
   affects Tor nodes running in middleman mode (disallowing all exits)
   when those nodes are blacklisted too.

   Problems of abuse occur mainly with services such as IRC networks
   and Wikipedia, which rely on IP blocking to ban abusive users.
   While at first blush this practice might seem to depend on the
   anachronistic assumption that each IP is an identifier for a single
   user, it is actually more reasonable in practice: it assumes that
   non-proxy IPs are a costly resource, and that an abuser can not
   change IPs at will.  By blocking IPs which are used by Tor nodes,
   open proxies, and service abusers, these systems hope to make
   ongoing abuse difficult.  Although the system is imperfect, it
   works tolerably well for them in practice.

   Of course, we would prefer that legitimate anonymous users be able
   to access abuse-prone services.  One conceivable approach would
   require would-be IRC users, for instance, to register accounts if
   they want to access the IRC network from Tor.  In practice this
   would not significantly impede abuse if creating new accounts were
   easily automatable; this is why services use IP blocking.  To deter
   abuse, pseudonymous identities need to require a significant
   switching cost in resources or human time.  Some popular webmail
   applications impose cost with Reverse Turing Tests, but this step
   may not deter all abusers.  Freedom used blind signatures to limit
   the number of pseudonyms for each paying account, but Tor has
   neither the ability nor the desire to collect payment.

   We stress that as far as we can tell, most Tor uses are not
   abusive. Most services have not complained, and others are actively
   working to find ways besides banning to cope with the abuse. For
   example, the Freenode IRC network had a problem with a coordinated
   group of abusers joining channels and subtly taking over the
   conversation; but when they labelled all users coming from Tor IPs
   as ``anonymous users,'' removing the ability of the abusers to
   blend in, the abuse stopped.


> "everyone is so worried about it, but has any one ever been successfully
> been able to use tor to effectively spam anyone?"
> 
> Yes, of course!  We deal with it constantly.  We have an effective means
> of dealing with it: we block Tor servers from editing wikipedia.  But is
> that what any of us want?
> 

Huh? See above.

> "Misbehaviour is in the eye of the observer, however."
> 
> No, actually it isn't.  There is such a thing as objectively
> identifiable malicious behavior.  We aren't Chinese censors here.  We're
> the good guys.  We want to work with you.
> 
> Yes, we could implement tight security to only allow people who identify
> themselves (perhaps we'll require a credit card number, someone
> suggests?)... but *cough*, aren't we supposed to care about privacy here?
> 

Yes we are, but that's not the only security you could implement, and
I hope no one would suggest it. But getting someone else's IP address
is no harder than getting someone else's credit card number. In fact
much easier since they are explicitly not unique to individual people
most of the time, and there are even less attempts to protect them
than to protect credit card numbers. I think I can safely speak for
the main Tor developers and designers when I say that We would be glad
to work with you to develop Tor-compatible authentication mechanisms
that are more appropriate qua authentication mechanisms than you now
have. And you can rest assured that we would be at least as concerned
about protecting the identity of those using it as you would be.

aloha,
Paul