Hello Wikimedia,
here some people have posted some thoughts about the problem of anonymous posting.
I have experienced it too. For me it looks like that: I have posted answer on the Talk page, while being anonymous, so system has fixed my IP address; from my answer it is perfectly seen that it was me who posted it, so everyone can for sure identify me and my IP address. And, for now, everyone can see my IP address in history of this page.
But it was supposed that my IP address should be private in wikipedia. since it's static, it is not private anymore in any way.
For now for me it is not very terrible problem; but I think it could be for someone or for me in some time!
What could we think of to solve this problem with privacy?
My first proposal: after I am logged on, I should have the option to disallow my IP address from anonymous posting. So when I am on wikipedia once again, anonymous, the system won't give me the possibility to save changes without logging in (or, may be, pushing explicit button "I want to edit without logging in, with ip-address logged").
On 5/17/05, monk@zoomcon.com monk@zoomcon.com wrote:
My first proposal: after I am logged on, I should have the option to disallow my IP address from anonymous posting. So when I am on wikipedia once again, anonymous, the system won't give me the possibility to save changes without logging in (or, may be, pushing explicit button "I want to edit without logging in, with ip-address logged").
This would be a very dangerous facility, if provided. It would mean that anyone using a proxy server could block everyone else using the proxy server, inadvertently. If we did something like this it would need doing with cookies, I suppose.
-- Abi
Hello Abigail,
Tuesday, May 17, 2005, 3:53:28 PM, you wrote:
My first proposal: after I am logged on, I should have the option to disallow my IP address from anonymous posting. So when I am on wikipedia once again, anonymous, the system won't give me the possibility to save changes without logging in (or, may be, pushing explicit button "I want to edit without logging in, with ip-address logged").
This would be a very dangerous facility, if provided. It would mean that anyone using a proxy server could block everyone else using the proxy server, inadvertently.
Why? I don't propose letting to log in only for THAT only user. Any user will be able to log in - or even to post anonymously - it just won't be so implicit.
If we did something like this it would need doing with cookies, I suppose.
I think, usual "remember my password across session" option is already working through cookies. So if cookies are set properly, I will be already logged on. And if I'm not logged on, cookies are wrong - so I think your proposition has little sense...
<monk <at> zoomcon.com> writes:
Hello Abigail,
Tuesday, May 17, 2005, 3:53:28 PM, you wrote:
My first proposal: after I am logged on, I should have the option to disallow my IP address from anonymous posting. So when I am on wikipedia once again, anonymous, the system won't give me the possibility to save changes without logging in (or, may be, pushing explicit button "I want to edit without logging in, with ip-address logged").
This would be a very dangerous facility, if provided. It would mean that anyone using a proxy server could block everyone else using the proxy server, inadvertently.
Why? I don't propose letting to log in only for THAT only user. Any user will be able to log in - or even to post anonymously - it just won't be so implicit.
If we did something like this it would need doing with cookies, I suppose.
I think, usual "remember my password across session" option is already working through cookies. So if cookies are set properly, I will be already logged on. And if I'm not logged on, cookies are wrong - so I think your proposition has little sense...
I'm not sure if I'm in the right list? If not, I apologize. I'm having about these same kinds of concerns. I'll be installing a WIKI for a controversial subject where: 1) Users are concerned about their identity, and _cannot_ have their IP's seen by others. 2) Vandalism could be rampant. For (1), someone advised me and I was able to easily edit ProxyTools.php to always record the IP as 123.123.123.123 and that was great, but ofcourse this has problems if we want to deal with vandals. The only way out would then be to disable anonymous edits, but as someone on this list made the point: If we do that, we're going to loose big time as much less people will edit. So I need anonymous editing, with safety of the users ensured and vandalism taken care of too.
Is there any way where only SysOps can see the actual IP address, while others see the same string "xxx"? A good solution would be to have some sort of a coded IP which would still be a unique number identifying the user but not the real IP which exposes the location of the individual, but this would be too complex.
How can we change it such that, if a Sysop is logged in, he sees the real IP's but if its anyone else, they just see "111.111.111.111" The IP address is recorded in atleast 3 different databases.
I'm trying to find out a way for doing this. Any advice is greatly appreciated!
thank you Eric
On 19/05/05, Eric ek79501@yahoo.com wrote:
<monk <at> zoomcon.com> writes:
Hello Abigail,
Tuesday, May 17, 2005, 3:53:28 PM, you wrote:
My first proposal: after I am logged on, I should have the option to disallow my IP address from anonymous posting. So when I am on wikipedia once again, anonymous, the system won't give me the possibility to save changes without logging in (or, may be, pushing explicit button "I want to edit without logging in, with ip-address logged").
This would be a very dangerous facility, if provided. It would mean that anyone using a proxy server could block everyone else using the proxy server, inadvertently.
Why? I don't propose letting to log in only for THAT only user. Any user will be able to log in - or even to post anonymously - it just won't be so implicit.
If we did something like this it would need doing with cookies, I suppose.
I think, usual "remember my password across session" option is already working through cookies. So if cookies are set properly, I will be already logged on. And if I'm not logged on, cookies are wrong - so I think your proposition has little sense...
I'm not sure if I'm in the right list? If not, I apologize. I'm having about these same kinds of concerns. I'll be installing a WIKI for a controversial subject where:
- Users are concerned about their identity, and _cannot_ have their IP's seen
by others. 2) Vandalism could be rampant. For (1), someone advised me and I was able to easily edit ProxyTools.php to always record the IP as 123.123.123.123 and that was great, but ofcourse this has problems if we want to deal with vandals. The only way out would then be to disable anonymous edits, but as someone on this list made the point: If we do that, we're going to loose big time as much less people will edit. So I need anonymous editing, with safety of the users ensured and vandalism taken care of too.
Is there any way where only SysOps can see the actual IP address, while others see the same string "xxx"? A good solution would be to have some sort of a coded IP which would still be a unique number identifying the user but not the real IP which exposes the location of the individual, but this would be too complex.
How can we change it such that, if a Sysop is logged in, he sees the real IP's but if its anyone else, they just see "111.111.111.111" The IP address is recorded in atleast 3 different databases.
I'm trying to find out a way for doing this. Any advice is greatly appreciated!
thank you Eric
Wikitech-l mailing list Wikitech-l@wikimedia.org http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Eric <ek79501 <at> yahoo.com> writes:
<monk <at> zoomcon.com> writes:
Hello Abigail,
Tuesday, May 17, 2005, 3:53:28 PM, you wrote:
My first proposal: after I am logged on, I should have the option to disallow my IP address from anonymous posting. So when I am on wikipedia once again, anonymous, the system won't give me the possibility to save changes without logging in (or, may be, pushing explicit button "I want to edit without logging in, with ip-address logged").
This would be a very dangerous facility, if provided. It would mean that anyone using a proxy server could block everyone else using the proxy server, inadvertently.
Why? I don't propose letting to log in only for THAT only user. Any user will be able to log in - or even to post anonymously - it just won't be so implicit.
If we did something like this it would need doing with cookies, I suppose.
I think, usual "remember my password across session" option is already working through cookies. So if cookies are set properly, I will be already logged on. And if I'm not logged on, cookies are wrong - so I think your proposition has little sense...
I'm not sure if I'm in the right list? If not, I apologize. I'm having about these same kinds of concerns. I'll be installing a WIKI for a controversial subject where:
- Users are concerned about their identity, and _cannot_ have their IP's seen
by others. 2) Vandalism could be rampant. For (1), someone advised me and I was able to easily edit ProxyTools.php to always record the IP as 123.123.123.123 and that was great, but ofcourse this has problems if we want to deal with vandals. The only way out would then be to disable anonymous edits, but as someone on this list made the point: If we do that, we're going to loose big time as much less people will edit. So I need anonymous editing, with safety of the users ensured and vandalism taken care of too.
Is there any way where only SysOps can see the actual IP address, while others see the same string "xxx"? A good solution would be to have some sort of a coded IP which would still be a unique number identifying the user but not the real IP which exposes the location of the individual, but this would be too complex.
How can we change it such that, if a Sysop is logged in, he sees the real IP's but if its anyone else, they just see "111.111.111.111" The IP address is recorded in atleast 3 different databases.
I'm trying to find out a way for doing this. Any advice is greatly appreciated!
thank you Eric
WOW.
I think I got the solution to this privacy problem. I'm going to be installing WIKI myself and will hack it for my own needs. The aim is to identity each anonymous edit with a unique number. Right? Well then, a different unique number can be coded using a special formula which ends us up with a 1-to-1 relationship. The coded IP or number which can even be a mixture of Alphabets and Numerals or anything, will never reveal the true IP - but will still be a unique representation for that posting. That easy. If the formula is complex enough, no one can figure it out and hence the IP. Now I gotta figure out how to manipulate text in PHP and to figure out a very complex formula which "encrypts" the IP.
If there's anyone who has to see the real IP, its only the admins. Its not wise at all for every Jack to see the IP's.
Great work, Eric! Patting my own back. I did what these WikiMedia people could not do. Comments eh? Or any advice for the encryption?
Eric
On 5/19/05, Eric ek79501@yahoo.com wrote:
Great work, Eric! Patting my own back. I did what these WikiMedia people could not do. Comments eh? Or any advice for the encryption?
Perhaps it is not incompetance on the part of everyone else, but your failure to effectively communicate your goal? The simplest answer...
Anyway, it sounds like you want a secure hash, so why not use something like MD5 or SHA or something?
Jeremy Dunck wrote:
Anyway, it sounds like you want a secure hash, so why not use something like MD5 or SHA or something?
He wants administrators to be able to see the IP addresses, so a hash is not the right tool for the job unless he wants to build his own rainbow tables. A symmetric cipher would do fine, if he's insisting on cryptography rather on just removing access to the IP data to regular users.
-IK
Eric wrote:
The aim is to identity each anonymous edit with a unique number. Right? Well then, a different unique number can be coded using a special formula which ends us up with a 1-to-1 relationship.
This means that the IP address can still be reconstructed from the "unique number". What you are suggesting is called "security by obscurity". Unfortunately, you are forgetting that the source code is open, and so any formula - no matter how complex - can be seen by everybody.
I'm not sure if the GPL allows you to keep your formula secret. But even if it does, you only need an untrustworthy admin, or an accidental technical problem that reveals the relevant source code, and the IP addresses can be reconstructed until you find out that the formula has leaked.
Additionally, you are forgetting that dial-up users sometimes get an IP allocated that a different user had in the past. If they can see they get the same ID allocated for their edits as a previous user, it will be obvious that they had the same IP.
Sorry to bust your bubble. Timwi
Timwi timwi@gmx.net wrote:
Eric wrote:
The aim is to identity each anonymous edit with a unique number. Right? Well then, a different unique number can be coded using a special formula which ends us up with a 1-to-1 relationship.
This means that the IP address can still be reconstructed from the "unique number". What you are suggesting is called "security by obscurity". Unfortunately, you are forgetting that the source code is open, and so any formula - no matter how complex - can be seen by everybody.
I've actually thought about this sort of thing for a site I've been planning with anonymous users. The trick is to assign a *meaningless* number that nonetheless consistently maps to a particular IP address.
CREATE TABLE anonips ( anonid INTEGER NOT NULL AUTO_INCREMENT PRIMARY KEY, ipaddr INTEGER NOT NULL );
Then add a Special:Anonip, limited to sysops, that looks up an anonymous user number in the table and returns the IP address.
Yes, if you happen to get the same IP as a previous user, you'll know their old IP address. But it doesn't have to be perfect.
Brent 'Dax' Royal-Gordon <brentdax <at> gmail.com> writes:
I've actually thought about this sort of thing for a site I've been planning with anonymous users. The trick is to assign a *meaningless* number that nonetheless consistently maps to a particular IP address.
CREATE TABLE anonips ( anonid INTEGER NOT NULL AUTO_INCREMENT PRIMARY KEY, ipaddr INTEGER NOT NULL );
Then add a Special:Anonip, limited to sysops, that looks up an anonymous user number in the table and returns the IP address.
Yes, if you happen to get the same IP as a previous user, you'll know their old IP address. But it doesn't have to be perfect.
Your idea looks good. I tried doing the MD5 thing. It does generate a nonsense number that is almost impossible to crack, but WIKI didnt allow me to ban that certain user. Hmm. Maybe the output string was too large etc or something and the program was'nt designed to ban that long 'string' IP. The aim is to prevent anyone from seeing the real IP. There can be simple digit tranformations (put digit 7 in place 1, etc - kind of criss crossing) and mathematical operations on the IP's to contort them beyond recognition. Repeat a couple of times to really mix it up, for example: --- 123.456.789.xxx 68x.12x.543.x97 add, 10,25,30 and 43 to each of the respective segments Jumble up again add something again --- And now you have a nonsense IP that's almost impossible to crack.
Regarding what a user said about "what if the formula is accessed by an unfaithful admin": If anyone's able to get that formula, they are able to get into my database anyway so there's no use of thinking "what if a hacker admin got in". If they got in, they've gotten everything anyway.
So we can get a certain number that is a 1-to-1 and I've seen in once instance that it allows us to ban single IP's as before. Do we admins really need real IP addresses for the vandal, unless we want to report any vandalism act. And oh, in our special:reverseip page, we could actually write the reverse formula that gives us the real IP if we need it.
The only big problem is banning IP blocks. I dont know if that will work. I have to try and see.
Eric wrote:
Jumble up again add something again
And now you have a nonsense IP that's almost impossible to crack.
No. You have a nonsense IP that anyone with the slightest determination can reverse-engineer. As I previously mentioned, you have two ways of ensuring strong anonymity. You can hide the IP completely from visitors, and just allow the admins to see it, or you can use an asymmetric cipher with a site-wide password. The latter option has the advantage that you can salt with another known property of the edit - say, timestamp - to get a new per-edit identifier for the same IP each time, avoiding the problem with Brent's solution.
While it may well be enough for the level of anonymity you're striving for, claiming that your makeshift cryptographic hand-waving is "almost impossible to crack" is, at the very least, ignorant.
-IK
Ivan Krstic <krstic <at> fas.harvard.edu> writes:
Eric wrote:
Jumble up again add something again
And now you have a nonsense IP that's almost impossible to crack.
No. You have a nonsense IP that anyone with the slightest determination can reverse-engineer. As I previously mentioned, you have two ways of ensuring strong anonymity. You can hide the IP completely from visitors, and just allow the admins to see it, or you can use an asymmetric cipher with a site-wide password. The latter option has the advantage that you can salt with another known property of the edit - say, timestamp - to get a new per-edit identifier for the same IP each time, avoiding the problem with Brent's solution.
While it may well be enough for the level of anonymity you're striving for, claiming that your makeshift cryptographic hand-waving is "almost impossible to crack" is, at the very least, ignorant.
-IK
You're probably right about the possibility of cracking the makeshift jumbling i suggested earlier, and the fixed salt MD5 seems a better option of assigning a unique number to each IP.
Your two ideas are good for anonymity, however, easily dealing with Vandalism is an equally important aim I cant afford to compromise with. If the IP's are hidden, people would not be able to click on that unique number and see all the edits by that certain number/IP. If the IP's are encrypted uniquely with different salt each time, that too will disable people from checking the vandalist acts made by the same IP. So one thing is clear: We need a unique number for each IP. The chance of someone having the same IP as another person is very small so that doesnt matter. The asymetric cypher you and others suggested seems the best choice. Interestingly the anonymous edit tracking works if the output 'code' (IP) starts with a number. If it starts with a letter (like f7564ghfdd), it doesnt work. That problem is solved by adding a constant number to each anonymous code (like 5f7564...). Anonymity means that ideally, not even Admins should see the real IP so the real IP should not be stored in the database even if MyPhPadmin is the only way to access it.
Dealing with vandalism is the remaining issue: The site will be controversial so there will be lots of vandals. Removing anoynous editing is an option but I want to see how it goes before I'm forced to remove anoymous editing. I dont believe Wiki is equipped to deal with vandals easily. Looking at the case of a vandal who does 50 edits in a single day and how WIKI itself advises to deal with it: - Click on all the rollback links So we'd have to click 50 times on all the rollback links. Think about dealing with this daily.
Since same IP's can be used by others, WIKI should add a certain unique random number that makes that IP and that machine unique. Something that could come from creating a cookie in that machine. So you'd have 111.111.111.111.PC_ABR34 PC_ABR34 identifies that certain PC so if another person is using another PC with the same IP, they'll get a different number. The aim is to differentiate 2 people using the same IP and thus differentiate the vandal from the good guy. With that in place, there should be a way to reject all the changes of a single IP/PC with a few sysop clicks.
Also, there should be protection from bots which copy paste the same text in the mass vandalism they do. Detection should be there to catch the same text being posted in different pages from the same IP and block or atleast postpone suspicious edits until someone approves it. Flood limits should be set between edits so we can reduce the number of spam vandal edits. Automatic Alert pages should be present for anonymous edits, particularly high volume edits from the same IP.
So I think that WIKI is not well equipped to deal with anonymous vandalism. It works for most of the information WIKI has which is nuetral, but this is a big problem for controversial topics where vandals are bound to be more. Removing anonymous editing has the disadvantage you know of already. There definitely has to be a way of dealing with anonymous vandalism more efficiently and quickly.
I'm glad the uniquq salt/code works, so I do have a way to ban a single IP but dealing the vandalism is the next big problem.
Eric
Ivan Krstic krstic@fas.harvard.edu wrote:
You can hide the IP completely from visitors, and just allow the admins to see it, or you can use an asymmetric cipher with a site-wide password. The latter option has the advantage that you can salt with another known property of the edit - say, timestamp - to get a new per-edit identifier for the same IP each time, avoiding the problem with Brent's solution.
I'm not sure you understand the problem we're trying to deal with here.
The idea is to make sure edits by the same person are connected somehow. Even as a non-admin, when I revert some vandal's work, I need to be able to see what else that person has done, so I can figure out if he's vandalized any other pages. I need to know that it's one person who keeps editing the same text into the page, not three. What I *don't* need is enough information to hack the person's computer or figure out if he's a political dissident in my own country. Hence, I don't need the IP, but I need *something* that's constant for that person.
If every edit will get a different "anonymous identity" (so to speak), we might as well just list "Anonymous" as the editor.
Also, some people have asked why even sysops need access to IP addresses. The reason is that they need to be able to block entire subnets occasionally, and to do that they need to know the IP.
Brent 'Dax' Royal-Gordon <brentdax <at> gmail.com> writes:
Ivan Krstic <krstic <at> fas.harvard.edu> wrote:
You can hide the IP completely from visitors, and just allow the admins to see it, or you can use an asymmetric cipher with a site-wide password. The latter option has the advantage that you can salt with another known property of the edit - say, timestamp - to get a new per-edit identifier for the same IP each time, avoiding the problem with Brent's solution.
I'm not sure you understand the problem we're trying to deal with here.
The idea is to make sure edits by the same person are connected somehow. Even as a non-admin, when I revert some vandal's work, I need to be able to see what else that person has done, so I can figure out if he's vandalized any other pages. I need to know that it's one person who keeps editing the same text into the page, not three. What I *don't* need is enough information to hack the person's computer or figure out if he's a political dissident in my own country. Hence, I don't need the IP, but I need *something* that's constant for that person.
If every edit will get a different "anonymous identity" (so to speak), we might as well just list "Anonymous" as the editor.
Also, some people have asked why even sysops need access to IP addresses. The reason is that they need to be able to block entire subnets occasionally, and to do that they need to know the IP.
Brent, Thanks for putting it nicely! MD5 hash is good for showing a consistent unique number but its now allowing me to ban. It says "user doesnt exist" when I try to ban that hash. I would greatly appreciate if you allow me to contact you and seek your help in this as you are going to do the same thing I need too: Show an anonymous IP, only admin sees the real IP and ban the blocks if people are being consistent vandals, etc. thanks a lot Eric
Timwi <timwi <at> gmx.net> writes:
This means that the IP address can still be reconstructed from the "unique number". What you are suggesting is called "security by obscurity". Unfortunately, you are forgetting that the source code is open, and so any formula - no matter how complex - can be seen by everybody.
No, if I modify the WIKI, no one has to see it. If I want to distribute it, I have to give rights to modify it further etc. But I can modify and keep it for myself so yes, GPL does allow me to keep my modified code to myself only. Untrustworthy admin etc.- if that happens yes, he'll have access to everyone's IP's. That can happen in any situation, even non-wiki, so.. that danger is always there in whatever we do.
On 5/22/05, Eric ek79501@yahoo.com wrote:
Timwi <timwi <at> gmx.net> writes:
This means that the IP address can still be reconstructed from the "unique number". What you are suggesting is called "security by obscurity". Unfortunately, you are forgetting that the source code is open, and so any formula - no matter how complex - can be seen by everybody.
No, if I modify the WIKI, no one has to see it. If I want to distribute it, I have to give rights to modify it further etc. But I can modify and keep it for myself so yes, GPL does allow me to keep my modified code to myself only. Untrustworthy admin etc.- if that happens yes, he'll have access to everyone's IP's. That can happen in any situation, even non-wiki, so.. that danger is always there in whatever we do.
Wikitech-l mailing list Wikitech-l@wikimedia.org http://mail.wikipedia.org/mailman/listinfo/wikitech-l
On 5/17/05, monk@zoomcon.com monk@zoomcon.com wrote:
My first proposal: after I am logged on, I should have the option to disallow my IP address from anonymous posting.
This is okay for you, as you have a static IP address - so it's okay for you to "claim" this address as your own. But many people use shared proxies (corporate, school, web-accellerator, etc.) and others have very dynamic IP addresses (AOL) too. If someone could "claim" one of these addresses then they could effectively deny service to everyone else in the group that shares that (for whatever period such a "claim" would last).
In most of those cases, there's really no sensible technical solution which would allow the software to distinguish between those with shared or dynamic IPs and those with static ones.
All I can suggest is that you make some significantly noticable change to your .css file (like changing the background colours of things). Hopefully you'll get used to these changes, and you'll be more likely to notice should you inadvertently edit while logged out.
Hello John,
Tuesday, May 17, 2005, 4:08:49 PM, you wrote:
My first proposal: after I am logged on, I should have the option to disallow my IP address from anonymous posting.
This is okay for you, as you have a static IP address - so it's okay for you to "claim" this address as your own. But many people use shared proxies (corporate, school, web-accellerator, etc.) and others have very dynamic IP addresses (AOL) too. If someone could "claim" one of these addresses then they could effectively deny service to everyone else in the group that shares that (for whatever period such a "claim" would last).
I want to stress again - I by no way meant to disallow anonymous posting AT ALL; just to make it more explicit.
All I can suggest is that you make some significantly noticable change to your .css file (like changing the background colours of things). Hopefully you'll get used to these changes, and you'll be more likely to notice should you inadvertently edit while logged out.
may be. Is there any note about custom css files? how to make them and so on.
monk@zoomcon.com wrote:
I want to stress again - I by no way meant to disallow anonymous posting AT ALL; just to make it more explicit.
We cannot make absolutely any changes that will make editing for non-logged-in users even the slightest bit more difficult. Many contributions, especially corrections of subtle errors, come from IP addresses, and the barrier to helping is already very high (because people don't expect that they can just edit). The few people that do, we cannot afford to lose even a single one of those edits.
On 5/17/05, John Fader jfader@gmail.com wrote:
All I can suggest is that you make some significantly noticable change to your .css file (like changing the background colours of things). Hopefully you'll get used to these changes, and you'll be more likely to notice should you inadvertently edit while logged out.
...which are documented, btw, at
http://meta.wikimedia.org/wiki/User_styles
(Thinks to self: hmm, it should be easy enough to write a [[greasemonkey]] script which detects when you're not logged in and zaps the edit page link.)
John Fader jfader@gmail.com wrote:
All I can suggest is that you make some significantly noticable change to your .css file (like changing the background colours of things). Hopefully you'll get used to these changes, and you'll be more likely to notice should you inadvertently edit while logged out.
*cough* Anon edit warning patch *cough*
(Speaking of which, I should enter that into Bugzilla...)
wikitech-l@lists.wikimedia.org