I still believe that Nymble is the way to go here. It is the only solution that successfully allows negotiation of a secure collateral that can still be blacklisted after abuse has occurred.
Although, as mentioned, it is all about the collateral. Making the user provide something that requires work to obtain.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science
On Tue, Sep 30, 2014 at 3:40 PM, Risker risker.wp@gmail.com wrote:
Okay, so I have to ask. What is this obsession with enabling TOR editing?
Stewards are having to routinely disable significant IP ranges because of spamming/vandalism/obvious paid editing/etc through anonymizing proxies, open proxies, and VPNs - so I'm not really seeing a positive advantage in enabling an editing vector that would be as useful to block as the old AOL IPs.[1] If the advocates of enabling TOR were all willing to come play whack-a-mole - and keep doing it, day in and day out, for years - there might be something to be said for it. But it would be a terrible waste of a lot of talent, and I'm pretty sure none of you are all that interested in devoting your volunteer time that way.
We know what the "technical" solution would be here: to turn the on/off switch to "on". Enabling TOR from a technical perspective is simple. Don't forget, while you're at it, to address the unregistered editing attribution conundrum that has always been the significant secondary issue.
I'd encourage all of you to focus on technical ways to prevent abusive/inappropriate editing from all types of anonymizing edit platforms, including VPNs, sites like Anonymouse, etc. TOR is but one editing vector that is similarly problematic, and it would boggle the minds of most users to discover that developers are more interested in enabling another of these vectors rather than thinking about how to prevent problems from the ones that are currently not systemically shut down.
Risker/Anne
[1] Historical note - back in the day, AOL used to reassign IPs with every new link accessed through the internet (i.e., new IP every time someone went to a new Wikipedia page). It was impossible to block AOL vandals. This resulted in most of the known AOL IP ranges being blocked, since there was no other way to address the problem.
On 30 September 2014 14:52, Brian Wolff bawolff@gmail.com wrote:
On 9/30/14, Derric Atzrott datzrott@alizeepathology.com wrote:
Alright, this is a long email, and it acts to basically summarise all
of
the
discussions that have already happened on this topic. I'll be posting
a
copy of it to Mediawiki.org as well so that it will be easier to find out
about
what has already been proposed in the future.
There is a policy side to this, Meta has the "No open proxies" policy,
which
would need to be changed, but I doubt that such policies will be
changed
unless those of us on this list can come up with a good way to allow
Tor
users to edit. If we can come up with a way that solves most of the problems
the
community has, then I think there is a good chance that this policy can
be
changed.
I'd like to add an idea I've been thinking about to make TOR more acceptable.
A big part of the problem is that there are hundreds (thousands?) of exit nodes, so if someone is being bad, they just have to wait 5 minutes to get a new one, making it very hard to block them.
So what we could do, is map all tor connections to appear (To MW) as if they are coming from a few private IP addresses. This way its easy to block temporarily (in case of a whole slew of vandalism comes in), the political decision on whether to block or not becomes a local problem (The best kind of solution to a problem is the type that makes it somebody else's problem ;) I would personally hope that admins would only give short term block to such an address during waves of vandalism, but ultimately it would be up to them.
To be explicit, the potential idea is as follows: *User access via tor *MediaWiki sees its a tor request *Try to do limited browser fingerprinting, to perhaps mitigate the affect of an unclued user not using tor browser being bad ruining it for everyone. Say take a hash of the user-agent and various accept headers, and turn it into a number between 1 and 16. *Make MW think the IP is 172.16.0.<number from previous step>
Then all the tor edits are all together, and easy to notice if somebody is abusing them, and easy for a local admin to block all at once if need be.
This would also make most of the rate limiting apply against all people accessing via tor instead of doing rate limiting per exit node, which is probably a good thing, and would prevent repetitive abuse, people registering 10 billion accounts, etc. If we did this, we may also want to make pretty much every action trigger a captcha for those addresses (perhaps even if you are logged in from those addresses), instead of the current lax captcha triggering (On the bright side, our captchas are actually readable by people, unlike say cloudflare's (recaptcha) which I can't make heads or tails of).
If there are further concerns about potential abuse, we could tag all edits coming from TOR (including if user is logged in) with an edit tag of "tor" (Although that might be in violation of privacy policy by exposing how a logged in user is accessing the site).
Thoughts? Would this actually make TOR be acceptable to the Wikipedians?
--bawolff
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l