On 10/2/14, Kevin Wayne Williams <kwwilliams(a)kwwilliams.com> wrote:
Derric Atzrott schreef op 2014/09/30 6:08:
Hello everyone,
[snip]
There must be a way that we can allow users to work from Tor.
[snip more]
I think the first step is to work harder to block devices, not IP
addresses. One jerk with a cell phone cycles through so many IP
addresses so quickly in such active ranges that our current protection
techniques are useless. Any child can figure out how to pull his cable
modem out of the wall and plug it back in.
Focusing on what signature we can obtain from (or plant on) the device
and how to make that signature available to and manageable by admins is
the key. Maybe we require a WMF supplied app before one can edit from a
mobile device. Maybe we plant cookies on every machine that edits
Wikipedia to allow us to track who's using the machine and block access
to anyone that won't permit the cookies to be stored. There are probably
other techniques. The thing to remember is that the vast majority of our
sockpuppeteers are actually fairly stupid and the ones that aren't will
make their way past any technique short of retina scanning. It doesn't
matter whether a blocking technique allows a tech-savvy user to bypass
it somehow. Anything is better than a system that anyone can bypass by
turning his cable modem off and on.
Once we have a system that allows us to block individual devices
reasonably effectively, it won't matter whether those people are using
Tor to get to us or not.
KWW
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
So all we need is either:
A) Magic browser fingerprinting with no (or almost no) false positives
when used against everyone in the world. With the fingerprinting code
having at most access to javascript to run code (but preferably not
even needing that) and it has to be robust in the face of the user
being able to maliciously modify the code as they please.
B) tamper proof modules inside every device to uniquely identify it.
(Can we say police state?)
Arguably those aren't making the assumption that "[users] are actually
fairly stupid". But even a simplified version of those requirements,
such as, must block on per device basis, must involve more work than
unpluging a cable modem to get unblocked, dwells into the territory of
absurdly hard.
Although perhaps there are some subset of the population we could use
additional methods on. Cookies are pretty useless (If you think
getting a new IP is easy, you should see what it takes to delete a
cookie). Supercookies (e.g. Evercookie ) might be more useful, but
many people view such things as evil. Certain browsers might have a
distinctive enough fingerprint to block based on that, but I doubt
we'd ever be able to do that for all browsers. These things are also
likely to be considered "security vulnrabilities", so probably not
something to be relied on over long term as people fix the issues that
allow people to be tracked this way.
Once we have a system that allows us to block
individual devices
reasonably effectively, it won't matter whether those people are using
Tor to get to us or not
If you can find a way to link a tor user to the device they are using,
then you have essentially broken Tor. Which is not an easy feat.
--bawolff
p.s. Obligatory xkcd
https://xkcd.com/1425/