I still believe that Nymble is the way to go here. It is the only solution
that
successfully allows negotiation of a secure collateral that can still be
blacklisted after abuse has occurred.
Although, as mentioned, it is all about the collateral. Making the user
provide
something that requires work to obtain.
*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
On Tue, Sep 30, 2014 at 3:40 PM, Risker <risker.wp(a)gmail.com> wrote:
Okay, so I have to ask. What is this obsession with
enabling TOR editing?
Stewards are having to routinely disable significant IP ranges because of
spamming/vandalism/obvious paid editing/etc through anonymizing proxies,
open proxies, and VPNs - so I'm not really seeing a positive advantage in
enabling an editing vector that would be as useful to block as the old AOL
IPs.[1] If the advocates of enabling TOR were all willing to come play
whack-a-mole - and keep doing it, day in and day out, for years - there
might be something to be said for it. But it would be a terrible waste of
a lot of talent, and I'm pretty sure none of you are all that interested in
devoting your volunteer time that way.
We know what the "technical" solution would be here: to turn the
on/off switch to "on". Enabling TOR from a technical perspective is
simple. Don't forget, while you're at it, to address the unregistered
editing attribution conundrum that has always been the significant
secondary issue.
I'd encourage all of you to focus on technical ways to prevent
abusive/inappropriate editing from all types of anonymizing edit platforms,
including VPNs, sites like Anonymouse, etc. TOR is but
one editing vector that is similarly problematic, and it would boggle the
minds of most users to discover that developers are more interested in
enabling another of these vectors rather than thinking about how to prevent
problems from the ones that are currently not systemically shut down.
Risker/Anne
[1] Historical note - back in the day, AOL used to reassign IPs with every
new link accessed through the internet (i.e., new IP every time someone
went to a new Wikipedia page). It was impossible to block AOL vandals.
This resulted in most of the known AOL IP ranges being blocked, since there
was no other way to address the problem.
On 30 September 2014 14:52, Brian Wolff <bawolff(a)gmail.com> wrote:
On 9/30/14, Derric Atzrott
<datzrott(a)alizeepathology.com> wrote:
> Alright, this is a long email, and it acts to basically summarise all
of
the
> discussions that have already happened on this topic. I'll be posting
a
copy
of it to
Mediawiki.org as well so that it will be easier to find out
about
what has already been proposed in the future.
There is a policy side to this, Meta has the "No open proxies" policy,
which
> would need to be changed, but I doubt that such policies will be
changed
> unless those of us on this list can come up
with a good way to allow
Tor
users
to edit. If we can come up with a way that solves most of the problems
the
community has, then I think there is a good
chance that this policy can
be
changed.
I'd like to add an idea I've been thinking about to make TOR more
acceptable.
A big part of the problem is that there are hundreds (thousands?) of
exit nodes, so if someone is being bad, they just have to wait 5
minutes to get a new one, making it very hard to block them.
So what we could do, is map all tor connections to appear (To MW) as
if they are coming from a few private IP addresses. This way its easy
to block temporarily (in case of a whole slew of vandalism comes in),
the political decision on whether to block or not becomes a local
problem (The best kind of solution to a problem is the type that makes
it somebody else's problem ;) I would personally hope that admins
would only give short term block to such an address during waves of
vandalism, but ultimately it would be up to them.
To be explicit, the potential idea is as follows:
*User access via tor
*MediaWiki sees its a tor request
*Try to do limited browser fingerprinting, to perhaps mitigate the
affect of an unclued user not using tor browser being bad ruining it
for everyone. Say take a hash of the user-agent and various accept
headers, and turn it into a number between 1 and 16.
*Make MW think the IP is 172.16.0.<number from previous step>
Then all the tor edits are all together, and easy to notice if
somebody is abusing them, and easy for a local admin to block all at
once if need be.
This would also make most of the rate limiting apply against all
people accessing via tor instead of doing rate limiting per exit node,
which is probably a good thing, and would prevent repetitive abuse,
people registering 10 billion accounts, etc. If we did this, we may
also want to make pretty much every action trigger a captcha for those
addresses (perhaps even if you are logged in from those addresses),
instead of the current lax captcha triggering (On the bright side, our
captchas are actually readable by people, unlike say cloudflare's
(recaptcha) which I can't make heads or tails of).
If there are further concerns about potential abuse, we could tag all
edits coming from TOR (including if user is logged in) with an edit
tag of "tor" (Although that might be in violation of privacy policy by
exposing how a logged in user is accessing the site).
Thoughts? Would this actually make TOR be acceptable to the Wikipedians?
--bawolff
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l