Neil Harris wrote:
Regarding Tor, does anyone have, or has anyone considered, an auto-discovery robot to find Tor proxies?
This would be a Tor client which would connect to Tor at regular intervals and hit a special URL with a magic authenticating token in it, that would automatically ban the IP in question.
Sooner or later, it would work its way through all, or almost all, of the proxies in the Tor cloud.
It's not necessary, Tor have a public exit node list. See for example http://serifos.eecs.harvard.edu:8000/cgi-bin/exit.pl . The Tor developers are actually very sympathetic to our situation... or at least they became sympathetic after a series of conversations between our developer Domas Mituzas and Tor developer Roger Dingledine, starting at the CCC last December.
My question to Roger at his CCC lecture was "are you going to provide us with a client library for automated blocking of Tor exit nodes?" to which his answer was no, but several months later we received this:
http://tor.eff.org/cvs/tor/contrib/exitlist
and the Tor developers even made plans to integrate it into MediaWiki for us. That hasn't eventuated, but I appreciate the gesture.
Roger's preferred solution in MediaWiki is to enable admins to make short-duration blocks (say 15 minutes) of all Tor exit nodes simultaneously. My preferred solution is to delay edits:
http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/18932
...although that is quite a bit more complicated and thus less likely to get done. At least my proposal serves to highlight our differences in viewpoint. Tor supporters like to justify their existence from the moral high ground of protection against government persecution or industrial espionage. But what the bulk of Tor users are really interested in is obscuring their identity server administrators, and that carries with it a different set of ethical implications.
Administrators of wikis, forums, webmail and IRC all use IP blacklists as a means to enforce a code of behaviour. Roger counters that server administrators should move from IP-based access control to more secure identification methods such as PKA coupled with credit card authentication. But would that really be a step forward for privacy?
-- Tim Starling