[WikiEN-l] Re: Tor horror stories
Tim Starling
t.starling at physics.unimelb.edu.au
Tue Sep 27 16:11:57 UTC 2005
Neil Harris wrote:
> Regarding Tor, does anyone have, or has anyone considered, an
> auto-discovery robot to find Tor proxies?
>
> This would be a Tor client which would connect to Tor at regular
> intervals and hit a special URL with a magic authenticating token in it,
> that would automatically ban the IP in question.
>
> Sooner or later, it would work its way through all, or almost all, of
> the proxies in the Tor cloud.
It's not necessary, Tor have a public exit node list. See for example
http://serifos.eecs.harvard.edu:8000/cgi-bin/exit.pl . The Tor
developers are actually very sympathetic to our situation... or at least
they became sympathetic after a series of conversations between our
developer Domas Mituzas and Tor developer Roger Dingledine, starting at
the CCC last December.
My question to Roger at his CCC lecture was "are you going to provide us
with a client library for automated blocking of Tor exit nodes?" to
which his answer was no, but several months later we received this:
http://tor.eff.org/cvs/tor/contrib/exitlist
and the Tor developers even made plans to integrate it into MediaWiki
for us. That hasn't eventuated, but I appreciate the gesture.
Roger's preferred solution in MediaWiki is to enable admins to make
short-duration blocks (say 15 minutes) of all Tor exit nodes
simultaneously. My preferred solution is to delay edits:
http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/18932
...although that is quite a bit more complicated and thus less likely to
get done. At least my proposal serves to highlight our differences in
viewpoint. Tor supporters like to justify their existence from the moral
high ground of protection against government persecution or industrial
espionage. But what the bulk of Tor users are really interested in is
obscuring their identity server administrators, and that carries with it
a different set of ethical implications.
Administrators of wikis, forums, webmail and IRC all use IP blacklists
as a means to enforce a code of behaviour. Roger counters that server
administrators should move from IP-based access control to more secure
identification methods such as PKA coupled with credit card
authentication. But would that really be a step forward for privacy?
-- Tim Starling
More information about the WikiEN-l
mailing list