TL;DR: A few ideas follow on how we could possibly help legit editors contribute from behind Tor proxies. I am just conversant enough with the security problems to make unworkable suggestions ;-), so please correct me, critique & suggest solutions, and perhaps volunteer to help.
The current situation: https://en.wikipedia.org/wiki/Wikipedia:Advice_to_users_using_Tor_to_bypass_... We generally don't let anyone edit or upload from behind Tor; the TorBlock extension stops them. One exception: a person can create an account, accumulate lots of good edits, and then ask for an IP block exemption, and then use that account to edit from behind Tor. This is unappealing because then there's still a bunch of in-the-clear editing that has to happen first, and because then site functionaries know that the account is going to be making controversial edits (and could possibly connect it to IPs in the future, right?). And right now there's no way to truly *anonymously* contribute from behind Tor proxies; you have to log in. However, since JavaScript delivery is hard for Tor users, I'm not sure how much editing from Tor -- vandalism or legit -- is actually happening. (I hope for analytics on this and thus added it to https://www.mediawiki.org/wiki/Analytics/Dreams .) We know at least that there are legitimate editors who would prefer to use Tor and can't.
People have been talking about how to improve the situation for some time -- see http://cryptome.info/wiki-no-tor.htm and https://lists.torproject.org/pipermail/tor-dev/2012-October/004116.html . It'd be nice if it could actually move forward.
I've floated this problem past Tor and privacy people, and here are a few ideas:
1) Just use the existing mechanisms more leniently. Encourage the communities (Wikimedia & Tor) to use https://en.wikipedia.org/wiki/Wikipedia:Request_an_account (to get an account from behind Tor) and to let more people get IP block exemptions even before they've made any edits (< 30 people have gotten exemptions on en.wp in 2012). Add encouraging "get an exempt account" language to the "you're blocked because you're using Tor" messaging. Then if there's an uptick in vandalism from Tor then they can just tighten up again.
2) Encourage people with closed proxies to re-vitalize https://en.wikipedia.org/wiki/Wikipedia:WOCP . Problem: using closed proxies is okay for people with some threat models but not others.
3) Look at Nymble - http://freehaven.net/anonbib/#oakland11-formalizing and http://cgi.soic.indiana.edu/~kapadia/nymble/overview.php . It would allow Wikimedia to distance itself from knowing people's identities, but still allow admins to revoke permissions if people acted up. The user shows a real identity, gets a token, and exchanges that token over tor for an account. If the user abuses the site, Wikimedia site admins can blacklist the user without ever being able to learn who they were or what other edits they did. More: https://cs.uwaterloo.ca/~iang/ Ian Golberg's, Nick Hopper's, and Apu Kapadia's groups are all working on Nymble or its derivatives. It's not ready for production yet, I bet, but if someone wanted a Big Project....
3a) A token authorization system (perhaps a MediaWiki extension) where the server blindly signs a token, and then the user can use that token to bypass the Tor blocks. (Tyler mentioned he saw this somewhere in a Bugzilla suggestion; I haven't found it.)
4) Allow more users the IP block exemption, possibly even automatically after a certain number of unreverted edits, but with some kind of FlaggedRevs integration; Tor users can edit but their changes have to be reviewed before going live. We could combine this with (3); Nymble administrators or token-issuers could pledge to review edits coming from Tor. But that latter idea sounds like a lot of social infrastructure to set up and maintain.
Thoughts? Are any of you interested in working on this problem? #tor on the OFTC IRC server is full of people who'd be interested in talking about this.
I rather think that devs' time would be best spent ensuring that our tools against Tor users and open proxies are effective and reliable. Huge amounts of volunteers' time are spent combating abuse of them, with inadequate tools. See for instance: https://bugzilla.wikimedia.org/show_bug.cgi?id=30716 https://bugzilla.wikimedia.org/show_bug.cgi?id=42438 https://bugzilla.wikimedia.org/show_bug.cgi?id=8475
As for legitimate users, probably the most useful thing to do would be ensuring that the TorBlock extension shows an understandable error message and sends people to a translatable page with instructions valid for all language editions of our projects with current poliecies (most projects will have none).
Nemo
Add to that list the underlying XFF blocking bug.
https://bugzilla.wikimedia.org/show_bug.cgi?id=23343
Back on topic, is it necessary for good users seeking IP block exemption to be checkusered? I doubt it.
IP block exemption is rarely given because it allows someone to keep editing on their main account when a sock is blocked.
Tor exemption should be separate from IP block exemption.
John Vandenberg. sent from Galaxy Note On Dec 28, 2012 12:13 PM, "Federico Leva (Nemo)" nemowiki@gmail.com wrote:
I rather think that devs' time would be best spent ensuring that our tools against Tor users and open proxies are effective and reliable. Huge amounts of volunteers' time are spent combating abuse of them, with inadequate tools. See for instance: https://bugzilla.wikimedia.**org/show_bug.cgi?id=30716https://bugzilla.wikimedia.org/show_bug.cgi?id=30716 https://bugzilla.wikimedia.**org/show_bug.cgi?id=42438https://bugzilla.wikimedia.org/show_bug.cgi?id=42438 https://bugzilla.wikimedia.**org/show_bug.cgi?id=8475https://bugzilla.wikimedia.org/show_bug.cgi?id=8475
As for legitimate users, probably the most useful thing to do would be ensuring that the TorBlock extension shows an understandable error message and sends people to a translatable page with instructions valid for all language editions of our projects with current poliecies (most projects will have none).
Nemo
______________________________**_________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/**mailman/listinfo/wikitech-lhttps://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Dec 28, 2012 12:47 PM, "John Vandenberg" jayvdb@gmail.com wrote:
Add to that list the underlying XFF blocking bug.
https://bugzilla.wikimedia.org/show_bug.cgi?id=23343
Back on topic, is it necessary for good users seeking IP block exemption
to be checkusered? I doubt it.
IP block exemption is rarely given because it allows someone to keep
editing on their main account when a sock is blocked.
Hmm. I guess Tor does too ;)
Tor exemption should be separate from IP block exemption.
..so ignore that comment ;)
John Vandenberg. sent from Galaxy Note
On Dec 28, 2012 12:13 PM, "Federico Leva (Nemo)" nemowiki@gmail.com
wrote:
I rather think that devs' time would be best spent ensuring that our
tools against Tor users and open proxies are effective and reliable. Huge amounts of volunteers' time are spent combating abuse of them, with inadequate tools.
See for instance: https://bugzilla.wikimedia.org/show_bug.cgi?id=30716 https://bugzilla.wikimedia.org/show_bug.cgi?id=42438 https://bugzilla.wikimedia.org/show_bug.cgi?id=8475
As for legitimate users, probably the most useful thing to do would be
ensuring that the TorBlock extension shows an understandable error message and sends people to a translatable page with instructions valid for all language editions of our projects with current poliecies (most projects will have none).
Nemo
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
As for legitimate users, probably the most useful thing to do would be ensuring that the TorBlock extension shows an understandable error message and sends people to a translatable page with instructions valid for all language editions of our projects with current poliecies (most projects will have none).
I think this would be a great improvement to the situation. I personally use Tor pretty regularly, but seldom go to Wikipedia when using Tor because I know I'll be frustrated if I try to fix something.
Up until this discussion, I had no idea it was possible to request an exemption to the Tor block.
Thank you, Derric Atzrott
On Thu, Dec 27, 2012 at 7:26 PM, Sumana Harihareswara sumanah@wikimedia.org wrote:
- Look at Nymble - http://freehaven.net/anonbib/#oakland11-formalizing
and http://cgi.soic.indiana.edu/~kapadia/nymble/overview.php . It would allow Wikimedia to distance itself from knowing people's identities, but still allow admins to revoke permissions if people acted up. The user shows a real identity, gets a token, and exchanges that token over tor for an account. If the user abuses the site, Wikimedia site admins can blacklist the user without ever being able to learn who they were or what other edits they did. More: https://cs.uwaterloo.ca/~iang/ Ian Golberg's, Nick Hopper's, and Apu Kapadia's groups are all working on Nymble or its derivatives. It's not ready for production yet, I bet, but if someone wanted a Big Project....
A few things strike me there:
1: Is there one central PM and NM, or can there be multiple competing PM and NM providers? If the latter, there's no indication of how easy it is to set up a PM or NM. If the vandal can set up their own PM or NM, they can easily pretend to be an entirely new person for each edit, rendering the whole thing pointless.
2: It looks like Nymble allows us to block the person, but only for a short period of time (less than one day by default) at the discretion of the NM, since the "linking token" only works within one "linkability window".
3: The inability to see what other edits the user did before being blocked may also be a sticking point, as one of the first things many do when reverting vandalism is to check Special:Contributions to see if the user vandalized anything else at the same time.
Στις 28-12-2012, ημέρα Παρ, και ώρα 10:38 -0500, ο/η Brad Jorsch έγραψε:
On Thu, Dec 27, 2012 at 7:26 PM, Sumana Harihareswara sumanah@wikimedia.org wrote:
- Look at Nymble - http://freehaven.net/anonbib/#oakland11-formalizing
and http://cgi.soic.indiana.edu/~kapadia/nymble/overview.php . It would allow Wikimedia to distance itself from knowing people's identities, but still allow admins to revoke permissions if people acted up. The user shows a real identity, gets a token, and exchanges that token over tor for an account. If the user abuses the site, Wikimedia site admins can blacklist the user without ever being able to learn who they were or what other edits they did. More: https://cs.uwaterloo.ca/~iang/ Ian Golberg's, Nick Hopper's, and Apu Kapadia's groups are all working on Nymble or its derivatives. It's not ready for production yet, I bet, but if someone wanted a Big Project....
A few things strike me there:
1: Is there one central PM and NM, or can there be multiple competing PM and NM providers? If the latter, there's no indication of how easy it is to set up a PM or NM. If the vandal can set up their own PM or NM, they can easily pretend to be an entirely new person for each edit, rendering the whole thing pointless.
2: It looks like Nymble allows us to block the person, but only for a short period of time (less than one day by default) at the discretion of the NM, since the "linking token" only works within one "linkability window".
3: The inability to see what other edits the user did before being blocked may also be a sticking point, as one of the first things many do when reverting vandalism is to check Special:Contributions to see if the user vandalized anything else at the same time.
If we don't have the abiity to track down the user IP, what will we do about socks via Tor? And here what I mean is, checkusers won't be able to look at the edits of several apparently distinct users and be able, for example, to verify that they came from the same small subnet of ips from the same ISP.
Ariel
Sorry, just missing a bit of background:
What are the main use cases for people willing to use Tor while editing Wikimedia sites?
On 12/28/2012 11:14 AM, Quim Gil wrote:
Sorry, just missing a bit of background:
What are the main use cases for people willing to use Tor while editing Wikimedia sites?
The big one, as I see it (quoting from https://www.torproject.org/ ): "Activists use Tor to anonymously report abuses from danger zones. Whistleblowers use Tor to safely report on corruption." Iran, Burma, and China come up a lot in these discussions. Also, sometimes editors want to avoid surveillance from an ISP or employer.
https://www.torproject.org/about/torusers.html.en has more use cases for Tor use generally.
On 28 December 2012 17:36, Sumana Harihareswara sumanah@wikimedia.org wrote:
The big one, as I see it (quoting from https://www.torproject.org/ ): "Activists use Tor to anonymously report abuses from danger zones. Whistleblowers use Tor to safely report on corruption." Iran, Burma, and China come up a lot in these discussions. Also, sometimes editors want to avoid surveillance from an ISP or employer.
The use case is not so much Wikipedia, then. Wikinews, however.
- d.
On 12/28/2012 12:39 PM, David Gerard wrote:
On 28 December 2012 17:36, Sumana Harihareswara sumanah@wikimedia.org wrote:
The big one, as I see it (quoting from https://www.torproject.org/ ): "Activists use Tor to anonymously report abuses from danger zones. Whistleblowers use Tor to safely report on corruption." Iran, Burma, and China come up a lot in these discussions. Also, sometimes editors want to avoid surveillance from an ISP or employer.
The use case is not so much Wikipedia, then. Wikinews, however.
Commons and potentially Wikisource seem like possibilities as well. And perhaps less English Wikipedia than the Farsi, Chinese, and Burmese Wikipedias?
On 12/28/2012 12:43 PM, Sumana Harihareswara wrote:
On 12/28/2012 12:39 PM, David Gerard wrote:
On 28 December 2012 17:36, Sumana Harihareswara sumanah@wikimedia.org wrote:
The big one, as I see it (quoting from https://www.torproject.org/ ): "Activists use Tor to anonymously report abuses from danger zones. Whistleblowers use Tor to safely report on corruption." Iran, Burma, and China come up a lot in these discussions. Also, sometimes editors want to avoid surveillance from an ISP or employer.
The use case is not so much Wikipedia, then. Wikinews, however.
Commons and potentially Wikisource seem like possibilities as well. And perhaps less English Wikipedia than the Farsi, Chinese, and Burmese Wikipedias?
By the way, I fiddled with the metrics at https://metrics.torproject.org/users.html?table=censorship-events&start=... and got this list of countries: China, United Republic of Tanzania, Republic of Korea, Ethiopia, Philippines, Seychelles, Iran, Pakistan, Gibraltar, and Bangladesh.
Freedom House on the countries & territories that are worst re: freedom of expression: http://www.freedomhouse.org/report/special-reports/worst-worst-2012-worlds-m... : Equatorial Guinea, Eritrea, North Korea, Saudi Arabia, Somalia, Sudan, Syria, Turkmenistan, Uzbekistan, Tibet, Western Sahara, Belarus, Burma, Chad, China, Cuba, Laos, Libya, and the territory of South Ossetia.
IP block exemption is rarely given because it allows someone to keep editing on their main account when a sock is blocked.
Tor exemption should be separate from IP block exemption.
Note - that's just a config setting away. The rights are already separate rights, they just happen to be in the same group on Wikimedia.
-bawolff
On Fri, Dec 28, 2012 at 1:26 AM, Sumana Harihareswara <sumanah@wikimedia.org
wrote:
TL;DR: A few ideas follow on how we could possibly help legit editors contribute from behind Tor proxies. I am just conversant enough with the security problems to make unworkable suggestions ;-), so please correct me, critique & suggest solutions, and perhaps volunteer to help.
The current situation:
https://en.wikipedia.org/wiki/Wikipedia:Advice_to_users_using_Tor_to_bypass_... We generally don't let anyone edit or upload from behind Tor; the TorBlock extension stops them. One exception: a person can create an account, accumulate lots of good edits, and then ask for an IP block exemption, and then use that account to edit from behind Tor. This is unappealing because then there's still a bunch of in-the-clear editing that has to happen first, and because then site functionaries know that the account is going to be making controversial edits (and could possibly connect it to IPs in the future, right?). And right now there's no way to truly *anonymously* contribute from behind Tor proxies; you have to log in. However, since JavaScript delivery is hard for Tor users, I'm not sure how much editing from Tor -- vandalism or legit -- is actually happening. (I hope for analytics on this and thus added it to https://www.mediawiki.org/wiki/Analytics/Dreams .) We know at least that there are legitimate editors who would prefer to use Tor and can't.
People have been talking about how to improve the situation for some time -- see http://cryptome.info/wiki-no-tor.htm and https://lists.torproject.org/pipermail/tor-dev/2012-October/004116.html
I'm probably one of the many "Wikipedia folks" mentioned there, as I had a conversation about the issue with Roger Dingledine at 26C3 (where I subsequently gave a talk about Checkuser and sockpuppets). My impression back then was that while there was quite a lot of goodwill by smart Tor people to help Wikipedia find a solution, they were assuming a wrong threat model - basically just trying to reimplement IP autoblocks for Tor users, while ignoring the kind of abuse that is the reason for the existence of the Checkuser extension (and I am not confident that I was able to change that with my talk). The linked October 2012 thread still seems to assume that the problem is just "spammers using Tor".
. It'd be nice if it could actually move forward.
Thanks a lot for restarting this discussion, in any case. I would love to see a solution that enables editing Wikipedia via Tor, but I strongly recommend consulting Checkusers while developing it.
I've floated this problem past Tor and privacy people, and here are a few ideas:
- Just use the existing mechanisms more leniently. Encourage the
communities (Wikimedia & Tor) to use https://en.wikipedia.org/wiki/Wikipedia:Request_an_account (to get an account from behind Tor) and to let more people get IP block exemptions even before they've made any edits (< 30 people have gotten exemptions on en.wp in 2012). Add encouraging "get an exempt account" language to the "you're blocked because you're using Tor" messaging. Then if there's an uptick in vandalism from Tor then they can just tighten up again.
- Encourage people with closed proxies to re-vitalize
https://en.wikipedia.org/wiki/Wikipedia:WOCP . Problem: using closed proxies is okay for people with some threat models but not others.
- Look at Nymble - http://freehaven.net/anonbib/#oakland11-formalizing
and http://cgi.soic.indiana.edu/~kapadia/nymble/overview.php . It would allow Wikimedia to distance itself from knowing people's identities, but still allow admins to revoke permissions if people acted up. The user shows a real identity, gets a token, and exchanges that token over tor for an account. If the user abuses the site, Wikimedia site admins can blacklist the user without ever being able to learn who they were or what other edits they did. More: https://cs.uwaterloo.ca/~iang/ Ian Golberg's, Nick Hopper's, and Apu Kapadia's groups are all working on Nymble or its derivatives. It's not ready for production yet, I bet, but if someone wanted a Big Project....
As Brad and Ariel point out, Nymble in the form described on the linked project page does not seem to allow long-term blocks, and cannot deal with dynamic IPs. In other words, it would only provide the analogue of autoblock functionality for Tor users. The linked paper by Henry and Goldberg is more realistic about these limitations, discussing IP addresses only as one of several possible "unique identifiers" (§V). From the concluding remarks to that chapter, it seems most likely that they would recommend "some form of PKI or government ID-based registration" for our purposes.
3a) A token authorization system (perhaps a MediaWiki extension) where the server blindly signs a token, and then the user can use that token to bypass the Tor blocks. (Tyler mentioned he saw this somewhere in a Bugzilla suggestion; I haven't found it.)
- Allow more users the IP block exemption, possibly even automatically
after a certain number of unreverted edits, but with some kind of FlaggedRevs integration; Tor users can edit but their changes have to be reviewed before going live. We could combine this with (3); Nymble administrators or token-issuers could pledge to review edits coming from Tor. But that latter idea sounds like a lot of social infrastructure to set up and maintain.
Thoughts? Are any of you interested in working on this problem? #tor on the OFTC IRC server is full of people who'd be interested in talking about this.
-- Sumana Harihareswara Engineering Community Manager Wikimedia Foundation
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 28/12/12 18:29, Tilman Bayer wrote:
On Fri, Dec 28, 2012 at 1:26 AM, Sumana Harihareswara wrote:
I've floated this problem past Tor and privacy people, and here are a few ideas:
- Just use the existing mechanisms more leniently. Encourage the
communities (Wikimedia & Tor) to use https://en.wikipedia.org/wiki/Wikipedia:Request_an_account (to get an account from behind Tor) and to let more people get IP block exemptions even before they've made any edits (< 30 people have gotten exemptions on en.wp in 2012). Add encouraging "get an exempt account" language to the "you're blocked because you're using Tor" messaging. Then if there's an uptick in vandalism from Tor then they can just tighten up again.
This seems the right approach.
- Encourage people with closed proxies to re-vitalize
https://en.wikipedia.org/wiki/Wikipedia:WOCP . Problem: using closed proxies is okay for people with some threat models but not others.
I didn't know about it. This is an interesting concept. It would be possible to setup some 'public wikipedia proxys' (eg. by an European chapter) and encourage its use. It would still be possible to checkuser people going through that, but a 2-tier process would be needed (wiki checkuser + proxy admin) thus protecting from a “rogue checkuser” (Is that the primary concern of good editors wishing to use proxys?). We could use that setup for gaining information about usage (eg. it was 90% spam).
- Look at Nymble - http://freehaven.net/anonbib/#oakland11-formalizing
and http://cgi.soic.indiana.edu/~kapadia/nymble/overview.php . It would allow Wikimedia to distance itself from knowing people's identities, but still allow admins to revoke permissions if people acted up. The user shows a real identity, gets a token, and exchanges that token over tor for an account. If the user abuses the site, Wikimedia site admins can blacklist the user without ever being able to learn who they were or what other edits they did. More: https://cs.uwaterloo.ca/~iang/ Ian Golberg's, Nick Hopper's, and Apu Kapadia's groups are all working on Nymble or its derivatives. It's not ready for production yet, I bet, but if someone wanted a Big Project....
As Brad and Ariel point out, Nymble in the form described on the linked project page does not seem to allow long-term blocks, and cannot deal with dynamic IPs. In other words, it would only provide the analogue of autoblock functionality for Tor users. The linked paper by Henry and Goldberg is more realistic about these limitations, discussing IP addresses only as one of several possible "unique identifiers" (§V). From the concluding remarks to that chapter, it seems most likely that they would recommend "some form of PKI or government ID-based registration" for our purposes.
Requiring a government ID for connecting through tor would be even worse for privacy.
I completely agree that matching with the IP address used to request the nymble token is not enough. Maybe if the tokens were instead based in ISP+zone geolocation, that could be a way. Still, that would still miss linkability for vandals which use eg. both their home and work connections.
3a) A token authorization system (perhaps a MediaWiki extension) where the server blindly signs a token, and then the user can use that token to bypass the Tor blocks. (Tyler mentioned he saw this somewhere in a Bugzilla suggestion; I haven't found it.)
Bug 3729 ?
Thoughts? Are any of you interested in working on this problem? #tor on the OFTC IRC server is full of people who'd be interested in talking about this.
This is a social problem. We have the tools to fix it (account creation + ip block exemption). If someone asked me for that (in a project where I can) because they are censored by their government I would gladly grant it. That also means that when they replaced 'Jimbo' with 'penis', 5 minutes after getting their account, I would notice and kick them out. In my experience, far more people is trying to use tor in wikipedia for vandalising than for doing constructive edits / due to local censorship. Although I concede that it's probably the opposite on ‘certain wikis’ I don't edit. The problem with global solutions are vandals abusing it.
"If I don't get caught on 10 edits I can edit through tor" is a candle for vandals. Note that "I don't get caught" is different than "doing a constructive edit".
An idea would be to force some recaptcha-style work before giving such tokens, so even though we know they will abuse the system, we are still using them as improving force (although the following vandalism could still be worse than what we gained).
I also wonder if we are not aiming too high, trying to solve the anonimity and traceability problems on the internet, while we have for instance captchas forced to anons and newbies on a couple wikis due to a bot vandalism done years ago (bug 41745).
On the topic of whether allowing Tor users to edit is a concern, I believe so. Because of Tor blocks, it is sometimes extremely difficult, or even impossible altogether, to edit Wikipedia for some users. I believe we should give these users the opportunity to contribute rather than have them punished because of others who misuse Tor for spamming/sockpuppeting.
As far as a solution goes, I have a complete codebase for Extension:TokenAuth, which allows users to have MediaWiki sign a blinded token, which can then be used to bypass a specific IP block in order to log in and edit. It is almost ready; there are just a few functionality problems with the JavaScript crypto library.
*--* *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Sat, Dec 29, 2012 at 7:12 PM, Platonides Platonides@gmail.com wrote:
On 28/12/12 18:29, Tilman Bayer wrote:
On Fri, Dec 28, 2012 at 1:26 AM, Sumana Harihareswara wrote:
I've floated this problem past Tor and privacy people, and here are a few ideas:
- Just use the existing mechanisms more leniently. Encourage the
communities (Wikimedia & Tor) to use https://en.wikipedia.org/wiki/Wikipedia:Request_an_account (to get an account from behind Tor) and to let more people get IP block exemptions even before they've made any edits (< 30 people have gotten exemptions on en.wp in 2012). Add encouraging "get an exempt account" language to the "you're blocked because you're using Tor" messaging. Then if there's an uptick in vandalism from Tor then they can just tighten up again.
This seems the right approach.
- Encourage people with closed proxies to re-vitalize
https://en.wikipedia.org/wiki/Wikipedia:WOCP . Problem: using closed proxies is okay for people with some threat models but not others.
I didn't know about it. This is an interesting concept. It would be possible to setup some 'public wikipedia proxys' (eg. by an European chapter) and encourage its use. It would still be possible to checkuser people going through that, but a 2-tier process would be needed (wiki checkuser + proxy admin) thus protecting from a “rogue checkuser” (Is that the primary concern of good editors wishing to use proxys?). We could use that setup for gaining information about usage (eg. it was 90% spam).
- Look at Nymble - http://freehaven.net/anonbib/#oakland11-formalizing
and http://cgi.soic.indiana.edu/~kapadia/nymble/overview.php . It
would
allow Wikimedia to distance itself from knowing people's identities, but still allow admins to revoke permissions if people acted up. The user shows a real identity, gets a token, and exchanges that token over tor for an account. If the user abuses the site, Wikimedia site admins can blacklist the user without ever being able to learn who they were or what other edits they did. More: https://cs.uwaterloo.ca/~iang/ Ian Golberg's, Nick Hopper's, and Apu Kapadia's groups are all working on Nymble or its derivatives. It's not ready for production yet, I bet, but if someone wanted a Big Project....
As Brad and Ariel point out, Nymble in the form described on the linked project page does not seem to allow long-term blocks, and cannot deal
with
dynamic IPs. In other words, it would only provide the analogue of autoblock functionality for Tor users. The linked paper by Henry and Goldberg is more realistic about these limitations, discussing IP
addresses
only as one of several possible "unique identifiers" (§V). From the concluding remarks to that chapter, it seems most likely that they would recommend "some form of PKI or government ID-based registration" for our purposes.
Requiring a government ID for connecting through tor would be even worse for privacy.
I completely agree that matching with the IP address used to request the nymble token is not enough. Maybe if the tokens were instead based in ISP+zone geolocation, that could be a way. Still, that would still miss linkability for vandals which use eg. both their home and work connections.
3a) A token authorization system (perhaps a MediaWiki extension) where the server blindly signs a token, and then the user can use that token to bypass the Tor blocks. (Tyler mentioned he saw this somewhere in a Bugzilla suggestion; I haven't found it.)
Bug 3729 ?
Thoughts? Are any of you interested in working on this problem? #tor on the OFTC IRC server is full of people who'd be interested in talking about this.
This is a social problem. We have the tools to fix it (account creation
- ip block exemption). If someone asked me for that (in a project where
I can) because they are censored by their government I would gladly grant it. That also means that when they replaced 'Jimbo' with 'penis', 5 minutes after getting their account, I would notice and kick them out. In my experience, far more people is trying to use tor in wikipedia for vandalising than for doing constructive edits / due to local censorship. Although I concede that it's probably the opposite on ‘certain wikis’ I don't edit. The problem with global solutions are vandals abusing it.
"If I don't get caught on 10 edits I can edit through tor" is a candle for vandals. Note that "I don't get caught" is different than "doing a constructive edit".
An idea would be to force some recaptcha-style work before giving such tokens, so even though we know they will abuse the system, we are still using them as improving force (although the following vandalism could still be worse than what we gained).
I also wonder if we are not aiming too high, trying to solve the anonimity and traceability problems on the internet, while we have for instance captchas forced to anons and newbies on a couple wikis due to a bot vandalism done years ago (bug 41745).
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Fri, Jan 4, 2013 at 9:53 AM, Tyler Romeo tylerromeo@gmail.com wrote: [..]
As far as a solution goes, I have a complete codebase for Extension:TokenAuth, which allows users to have MediaWiki sign a blinded token, which can then be used to bypass a specific IP block in order to log in and edit. It is almost ready; there are just a few functionality problems with the JavaScript crypto library.
That sounds really cool. However I'm not sure how it solves the problem. If we allow people to get tokens signed that lets them bypass the TOR blocks, we may as well just not hand out tor blocks in the first place (if everyone can get a blinded token), or hand out the overrides via IP block exempt group (If we limit who can get such tokens).
-bawolff
On 4 January 2013 20:44, bawolff bawolff+wn@gmail.com wrote:
On Fri, Jan 4, 2013 at 9:53 AM, Tyler Romeo tylerromeo@gmail.com wrote: [..]
As far as a solution goes, I have a complete codebase for Extension:TokenAuth, which allows users to have MediaWiki sign a blinded token, which can then be used to bypass a specific IP block in order to
log
in and edit. It is almost ready; there are just a few functionality problems with the JavaScript crypto library.
That sounds really cool. However I'm not sure how it solves the problem. If we allow people to get tokens signed that lets them bypass the TOR blocks, we may as well just not hand out tor blocks in the first place (if everyone can get a blinded token), or hand out the overrides via IP block exempt group (If we limit who can get such tokens).
Bawolff has it right, pretty much. For legitimate users, an IPBE can be handed out. We have very limited human resources on the projects themselves to address the issuing of tokens and IPBEs now.
For me, this is largely a philosophical argument; yes, it would be in keeping with the "everyone can edit" ethic to enable Tor editing. For a very small number of WMF projects, it might attract a greater number of editors; if the project itself wants to consider Tor editing appropriate, it would be nice to find a way to exempt that project from the general prohibition. On the other hand, for the vast majority of projects, it would attract more problems and/or require excess attention from the limited number of volunteers (ie, checkusers) who are qualified to determine if an IPBE or "Tor token" is appropriate for a specific user. On some projects, almost every single editor who has ever been found to use [not yet blocked] Tor IPs was identified as such because of a legitimate concern about that editor's behaviour.
Risker/Anne
On Sat, Jan 5, 2013 at 4:27 AM, Risker risker.wp@gmail.com wrote:
Bawolff has it right, pretty much. For legitimate users, an IPBE can be handed out. We have very limited human resources on the projects themselves to address the issuing of tokens and IPBEs now.
For me, this is largely a philosophical argument; yes, it would be in keeping with the "everyone can edit" ethic to enable Tor editing. For a very small number of WMF projects, it might attract a greater number of editors; if the project itself wants to consider Tor editing appropriate, it would be nice to find a way to exempt that project from the general prohibition. On the other hand, for the vast majority of projects, it would attract more problems and/or require excess attention from the limited number of volunteers (ie, checkusers) who are qualified to determine if an IPBE or "Tor token" is appropriate for a specific user. On some projects, almost every single editor who has ever been found to use [not yet blocked] Tor IPs was identified as such because of a legitimate concern about that editor's behaviour.
I hope we don't (but rarely, perhaps) checkuser accounts that are behaving properly, so don't think we'd necessarily find many of the well-behaving tor users.
Of course, we find the bad behavior accounts.
Cheers, Katie
Risker/Anne _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
This is a quick followup to http://www.gossamer-threads.com/lists/wiki/wikitech/323006 and partly in keeping with the anti-vandalism discussion at http://www.gossamer-threads.com/lists/wiki/wikitech/392727 as well.
On 12/27/2012 07:26 PM, Sumana Harihareswara wrote:
TL;DR: A few ideas follow on how we could possibly help legit editors contribute from behind Tor proxies....
[snip]
- Allow more users the IP block exemption, possibly even automatically
after a certain number of unreverted edits, but with some kind of FlaggedRevs integration; Tor users can edit but their changes have to be reviewed before going live. We could combine this with (3); Nymble administrators or token-issuers could pledge to review edits coming from Tor. But that latter idea sounds like a lot of social infrastructure to set up and maintain.
From talking to Eleanor Saitta: could we do FlaggedRevs by IP space,
and/or by the intersection of IPs and topic space? Basically, let people edit from Tor IPs (and/or whitelist or blacklist categories) as long as those go through a FlaggedRevs-type process? And we could also do FlaggedRevs on specific IP ranges, like blocks that are known to be certain government office buildings.
I like this idea. Not every Tor user is vandal or troll, and assuming that all of them are by default is not assuming good faith. Some people are just really paranoid about their internet anonymity or live in restrictive countries (both of which I sympathize with), so this idea would let them edit in good faith while filtering out vandal/troll edits. It would also be a good idea to apply this to certain IP ranges like government/office buildings for similar reasons.
Date: Fri, 27 Sep 2013 19:40:53 -0400 From: sumanah@wikimedia.org To: wikitech-l@lists.wikimedia.org; ella@dymaxion.org Subject: Re: [Wikitech-l] Can we help Tor users make legitimate edits?
This is a quick followup to http://www.gossamer-threads.com/lists/wiki/wikitech/323006 and partly in keeping with the anti-vandalism discussion at http://www.gossamer-threads.com/lists/wiki/wikitech/392727 as well.
On 12/27/2012 07:26 PM, Sumana Harihareswara wrote:
TL;DR: A few ideas follow on how we could possibly help legit editors contribute from behind Tor proxies....
[snip]
- Allow more users the IP block exemption, possibly even automatically
after a certain number of unreverted edits, but with some kind of FlaggedRevs integration; Tor users can edit but their changes have to be reviewed before going live. We could combine this with (3); Nymble administrators or token-issuers could pledge to review edits coming from Tor. But that latter idea sounds like a lot of social infrastructure to set up and maintain.
From talking to Eleanor Saitta: could we do FlaggedRevs by IP space, and/or by the intersection of IPs and topic space? Basically, let people edit from Tor IPs (and/or whitelist or blacklist categories) as long as those go through a FlaggedRevs-type process? And we could also do FlaggedRevs on specific IP ranges, like blocks that are known to be certain government office buildings.
-- Sumana Harihareswara Engineering Community Manager Wikimedia Foundation
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Sat, 28 Sep 2013, at 10:17, Arcane 21 wrote:
I like this idea. Not every Tor user is vandal or troll, and assuming that all of them are by default is not assuming good faith.
To avoid endless abuse some services ask people to register from a non-TOR IP, and allow them to connect from TOR after registering.
Gryllida, that can already be done: https://meta.wikimedia.org/wiki/No_open_proxies , updated only a few days ago. https://bugzilla.wikimedia.org/show_bug.cgi?id=42231 was also just fixed to inform users better, thanks to Tyler and Reedy.
Nemo
On 27 September 2013 19:40, Sumana Harihareswara sumanah@wikimedia.orgwrote:
This is a quick followup to http://www.gossamer-threads.com/lists/wiki/wikitech/323006 and partly in keeping with the anti-vandalism discussion at http://www.gossamer-threads.com/lists/wiki/wikitech/392727 as well.
On 12/27/2012 07:26 PM, Sumana Harihareswara wrote:
TL;DR: A few ideas follow on how we could possibly help legit editors contribute from behind Tor proxies....
[snip]
- Allow more users the IP block exemption, possibly even automatically
after a certain number of unreverted edits, but with some kind of FlaggedRevs integration; Tor users can edit but their changes have to be reviewed before going live. We could combine this with (3); Nymble administrators or token-issuers could pledge to review edits coming from Tor. But that latter idea sounds like a lot of social infrastructure to set up and maintain.
From talking to Eleanor Saitta: could we do FlaggedRevs by IP space, and/or by the intersection of IPs and topic space? Basically, let people edit from Tor IPs (and/or whitelist or blacklist categories) as long as those go through a FlaggedRevs-type process? And we could also do FlaggedRevs on specific IP ranges, like blocks that are known to be certain government office buildings.
I think perhaps there's a real disconnect between what Flagged Revisions does and its purpose, as well as how widespread its use is. FR is not used on 95% of Wikimedia projects. It is attached to specific pages (or entire namespaces); it is not attached to either anonymous (IP) or registered users. You're looking for some other type of software, some form of user right if it is to be attached to specific users (either anonymous or registered) that would....do what, exactly? Require that a project's editors review every single edit from those IPs but not block them, no matter how much junk they put in a project?
And again, any such use would be specific to each project. I would be very disturbed if the WMF was to take it upon itself to start telling projects they have to accept edits from IPs and ranges they've had extremely poor experience with. AGF is not a suicide pact.
Risker/Anne
Hmm, I can see your point. Flagged Revs would be as much of hindrances on regular users as it would be on Tor users. I still think it should be permissable for Tor editors to submit legitimate edits in some way, but your points about the AGF policy and the purpose of Flagged Revs are duly noted.
Date: Fri, 27 Sep 2013 21:05:29 -0400 From: risker.wp@gmail.com To: wikitech-l@lists.wikimedia.org Subject: Re: [Wikitech-l] Can we help Tor users make legitimate edits?
On 27 September 2013 19:40, Sumana Harihareswara sumanah@wikimedia.orgwrote:
This is a quick followup to http://www.gossamer-threads.com/lists/wiki/wikitech/323006 and partly in keeping with the anti-vandalism discussion at http://www.gossamer-threads.com/lists/wiki/wikitech/392727 as well.
On 12/27/2012 07:26 PM, Sumana Harihareswara wrote:
TL;DR: A few ideas follow on how we could possibly help legit editors contribute from behind Tor proxies....
[snip]
- Allow more users the IP block exemption, possibly even automatically
after a certain number of unreverted edits, but with some kind of FlaggedRevs integration; Tor users can edit but their changes have to be reviewed before going live. We could combine this with (3); Nymble administrators or token-issuers could pledge to review edits coming from Tor. But that latter idea sounds like a lot of social infrastructure to set up and maintain.
From talking to Eleanor Saitta: could we do FlaggedRevs by IP space, and/or by the intersection of IPs and topic space? Basically, let people edit from Tor IPs (and/or whitelist or blacklist categories) as long as those go through a FlaggedRevs-type process? And we could also do FlaggedRevs on specific IP ranges, like blocks that are known to be certain government office buildings.
I think perhaps there's a real disconnect between what Flagged Revisions does and its purpose, as well as how widespread its use is. FR is not used on 95% of Wikimedia projects. It is attached to specific pages (or entire namespaces); it is not attached to either anonymous (IP) or registered users. You're looking for some other type of software, some form of user right if it is to be attached to specific users (either anonymous or registered) that would....do what, exactly? Require that a project's editors review every single edit from those IPs but not block them, no matter how much junk they put in a project?
And again, any such use would be specific to each project. I would be very disturbed if the WMF was to take it upon itself to start telling projects they have to accept edits from IPs and ranges they've had extremely poor experience with. AGF is not a suicide pact.
Risker/Anne _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Fri, Sep 27, 2013 at 7:40 PM, Sumana Harihareswara <sumanah@wikimedia.org
wrote:
From talking to Eleanor Saitta: could we do FlaggedRevs by IP space, and/or by the intersection of IPs and topic space? Basically, let people edit from Tor IPs (and/or whitelist or blacklist categories) as long as those go through a FlaggedRevs-type process? And we could also do FlaggedRevs on specific IP ranges, like blocks that are known to be certain government office buildings.
Unfortunately this would not solve the inherent problem with users editing from Tor. The reason Tor editors are blocked is not just because of vandalism. If that were the case, we'd just block anonymous editors and allow logged in users to edit over Tor.
In other words, cleaning up vandalism from regular users vs. Tor users is the same amount of work: you revert the vandalism and possibly block the user. Like somebody else mentioned, FlaggedRevs is not related to the editors as much as it is to the content. Vandalism still has to be removed regardless of whether the page has FlaggedRevs. The only difference is that other users won't see the vandalism because it will be hidden from them.
The reason Tor users are really blocked is because Tor allows users to hide their actual IP address, which makes it difficult to IP-ban people from editing and creating accounts, which is sometimes done for severe vandals. Vandals can continue to switch IP addresses at will, create new accounts, and continue vandalizing. The only way to avoid this issue is to force users to associate themselves with a "real" IP address before anonymously editing, but that kind of defeats the point of being anonymous in the first place.
Ideas were thrown around of issuing an anonymous token. The idea is that you generate a secret token, perform some crypto on that token to mask and hide it, and then have Wikipedia sign the masked and hidden token. Because of the nature of RSA, you can have Wikipedia sign the hidden token and then later extract a signature for the real token. Then, when you switch to Tor, you give the real signed token back to Wikipedia. This allows the site to know that it previously authenticated the user without being able to link it with the original IP address. Then, you do major rate-limiting, i.e., allowing a given IP address to request a signature once every week or something. Now rather than blocking an IP address, you block the token, and since the user can only get a token once a week, they're yet again limited to using their real IP address.
However, as pointed out, this suffers from a number of issues: 1) a week is a long time, and on a shared IP address it could be impossible to use; 2) it requires a lot of client-side crypto, which has to be done in either JavaScript or a custom client; 3) since the rate-limiting is the equivalent of IP blocks, vandal IP addresses can never be blocked for more than a week, which means the problem isn't truly solved. In the end, it comes down to trying to balance the rate-limiting between usability and blocking capability. I attempted an implementation of this a while ago, but abandoned it due to lack of interest. If somebody thinks these goals are surmountable, I'm sure we can resume discussion on it and maybe I can resume implementation.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science
wikitech-l@lists.wikimedia.org