On Saturday 25 June 2005 00:55, Andrew Gray wrote:
On 24/06/05, Jake Waskett <jake(a)waskett.org>
wrote:
On Friday 24 June 2005 17:53, David Gerard
wrote:
As can be
readily seen from a reverse DNS query, this IP address is a
transparent proxy server, use of which is forced upon NTL users (a
large UK telco).
manc-cache-5.server.ntli.net
Trouble is that admins can't actually see what IP a username is coming
from. So there's no indication until someone calls it to their
attention.
Hmm. There seems to be a clash between anonymity and usability here, as
is so often the case with security systems.
Perhaps we could allow admins to see part of the reverse DNS, but not all
of it. If we strip off the last two parts of the name (in this example,
leaving just "manc-cache-5.server"), we'd get something that nine times
out of ten would identify a proxy or not, but would not be personally
identifiable.
Hmm. Set recent-changes to show only anons; 250 edits comes to about
175 unique IPs (busy people, these - one was there four or five
times). Converting them to names, then stripping off the two trailing
sections, we get this list -
http://www.generalist.org.uk/wiki.txt
(somewhere along the line it went to 126 addresses. Buggered if I know
why.)
Of those, only 20 have proxy or cache in the name.
Thoughts on how useful this sort of data would be, given the
reasonably sized sample above?
Ok, so of 126 addresses, we have about 20 proxies. So about 16% of anonymous
Wikipedias users are recognised as being behind a proxy, using this scheme. I
don't know the answer to this question, but does anybody know roughly what
proportion of web users go through a proxy server? Is it close to 16%? If so,
we've got a pretty good scheme here.
Of course, a determined user could create a sub-domain with 'proxy' or
'cache'
in the title, which would fool a simple software implementation, but perhaps
not a human.
In reply to geni's comment, we're talking about a minor change to the software
anyway, so all that's needed is to present the admin with this information at
the time that he or she chooses to block a user.
Ideally, the software could give the admin a "no IP block" option, to exercise
at his or her discretion (the software may already do this; I don't know).
That would enable pests to be banned without banning others behind the same
proxy. If I were to implement that, I'd also set a "banned user" cookie that
would catch a change of username.
Pros:
* Avoid blocking legitimate users
* Preserves anonymity, to a reasonable extent
* (If "no IP block" option is implemented) Grants more flexibility to admins
in their work.
Cons:
* Will take a couple of days to implement
* Not 100% foolproof (or smart-but-malicious-proof)
Comments, anyone?
Jake