Re: [freenet-chat] Crazy idea: How trust in darknets enables secure democratic censorship
What a terrible idea. Censorship by majority is still censorship. Ian. On 11 Jul 2005, at 16:17, Matthew Toseland wrote: Here's a really whacky idea I came up with on the train back from Strasbourg (please read the whole email before flaming me): Personally I support Freenet being uncensorable and providing untraceability for posters, because there is no way to prevent censorship abuses by the powerful (including governments and corporations), while still allowing censorship to prevent e.g. child porn. I propose below a means that could provide some form of self regulation, under locally democratic control, which would provide a powerful deterrent to people posting objectionable materials. This is only possible because of the trust relationships underlying a scalable darknet such as Freenet 0.7/Dark. There is an argument that unpopular content will fall out of the current Freenet; it won't if the original insertor keeps on pushing it back in. Maybe, just maybe, we can have our cake and eat it too. The result would be that freenet could be far more mainstream, usable by far more people (e.g. oppressed religious groups in china are likely to object to all the kiddy porn on freenet), and its content would reflect what its users want rather than what the state wants. Definition: Premix ID: - Each node has two identities. One is its pubkey and physical location to connect to it. This is only given out to its immediate peers, and they may not forward it, on a darknet. The second is its premix pubkey. This is the key which is used to encrypt premix-routed traffic which is sent through the node. This is public, along with the node's connections, in order for premix routing to work through the darknet - we have to expose the network topology in order for premix routing to work. Client C finds some content he finds objectionable. He sends out a Complaint to his friend nodes. This contains a pointer to the objectionable content, and possibly C's premix ID (I'm not decided on this bit). Users can then verify the complaint - voting for it to be upheld or not and for what sanctions to be applied. If it is not upheld by enough nodes it is not propagated, so complaint spamming will be severely limited. Each node can decide whether the complaint is upheld. It will take into account its own vote if any (weight 1), the votes of its friend nodes (weight 1), and the votes of those nodes connected to its friend nodes (probably weighted 1/n where n is the number of nodes connected to a given friend node). There would be turnout requirements (say 2/3), and supermajority requirements which depend on what sanction is called for. If the complaint is upheld, then the network will attempt to trace the insertor, and possibly any requestors, of the data: If a node was on the insert path, AND it considers the complaint to have been upheld, it will check its records and attempt to trace the request. As will the next node on the chain. The original insertor will be found, and its premix ID exposed. Possible sanctions are: - Reprimand; upheld complaint is recorded on the node's record - Premix disconnect; node may no longer use premix routing - Full disconnect; node may not remain connected to the network. Requires a larger supermajority. - Blow the node; node's IP address is broadcast (endangers the network itself, would require 80% or so majority, and could be turned off on some networks). The idea here is that we produce a deterrant. Nodes won't insert content regarded as bad by the majority of a particular network, because of the risks involved, and therefore complaints should be rare. The content itself would be blocked, but only after the vote, which could take a reasonable time - say 2 weeks - during which any interested individuals could inspect the objectionable content (many will simply follow others, but this is not a problem as the content _is_ available; provided the system works, complaints will be rare and people will not have to browse through filth on a regular basis). This should keep the whole process accountable. If the original insertor is not found, we can get as close as possible. Since there will likely be several blocks to trace (even if the objectionable content is a single file), and since we know the network topology, we can do some form of correlation attack - and narrow it down to a particular area of the network. If it is one node, we can take the above sanctions; if it is a group of nodes (or a particular link or set of links), then we can break those connections and fork the network into two disconnected darknets with different standards (it should be reasonably easy to determine this given enough data to trace). Votes would have to be public for this to work (at least, public to nearby nodes). There is no secret ballot. On the other hand, since we are assuming that Freenet nodes are illegal in any case in
Re: [freenet-chat] Crazy idea: How trust in darknets enables secure democratic censorship
On Wed, Jul 13, 2005 at 01:41:37PM +0200, Rainer Kupke wrote: Matthew Toseland [EMAIL PROTECTED] wrote: On Wed, Jul 13, 2005 at 11:52:00AM +0200, Rainer Kupke wrote: Matthew Toseland [EMAIL PROTECTED] wrote: [voting against nodes that insert objectionable content] After a night of sleep I came up with two strategies to defeat your idea: First strategy: 1. run several small nodes and never use them to insert stuff. These nodes are good citizerns. This is perfectly valid. You can run a node. 2. Create a new node N 3. Use N to insert content 4. Delete N before reprimands hit. This is quite possible, however I don't see how you are going to be able to repeat it, due to the nature of a darknet. Also it might hurt the people you connected through. I assume that the inserting node gets more blame than the surrounding nodes and that blame does not stick around forever. Maybe for a very long time, but definitely not forever. So I can surround my inserter with one (as above) or more layers of nodes which act as blame absorbers. When I insert evil stuff my inserter will be blamed for it. The nodes next to it will get some fraction of the blame, but definitely less. the nodes on the outer layer will get nearly no blame. They will get no blame, unless they oppose the complaint. Before the nodes on my outer layer get blamed for talking to evil nodes I shutdown the core of my little evilnet and replace it with new nodes. If complaints are repeatedly held up against new nodes connected to a specific small number of nodes, it should be possible for the community to notice this and take action against _them_. The network topology has to be open for premix routing to work, and the node which was punished is revealed when a complaint is upheld. -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. signature.asc Description: Digital signature ___ chat mailing list chat@freenetproject.org Archived: http://news.gmane.org/gmane.network.freenet.general Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/chat Or mailto:[EMAIL PROTECTED]
Re: [freenet-chat] Crazy idea: How trust in darknets enables secure democratic censorship
On Wed, Jul 13, 2005 at 02:53:38PM +0200, Rainer Kupke wrote: Matthew Toseland [EMAIL PROTECTED] wrote: I assume that the inserting node gets more blame than the surrounding nodes and that blame does not stick around forever. Maybe for a very long time, but definitely not forever. So I can surround my inserter with one (as above) or more layers of nodes which act as blame absorbers. When I insert evil stuff my inserter will be blamed for it. The nodes next to it will get some fraction of the blame, but definitely less. the nodes on the outer layer will get nearly no blame. They will get no blame, unless they oppose the complaint. They could even support the complaint. The inserter is expendable. Before the nodes on my outer layer get blamed for talking to evil nodes I shutdown the core of my little evilnet and replace it with new nodes. If complaints are repeatedly held up against new nodes connected to a specific small number of nodes, it should be possible for the community to notice this and take action against _them_. They are expendable unless they belong to the outer layer. The inner layers can be replaced every two weeks, the outer layers every year or so. Obviously I have to keep the outermost layer. The network topology has to be open for premix routing to work, and the node which was punished is revealed when a complaint is upheld. How long would it take for the community to identify the outer layer of evilnet? Even a single person should be able to protect the inserter with 4-6 layers of blame absorbers. It would be obvious that every single evil insert has gone through that person's node. Because he has one node that connects to the rest of the network. The blame absorbers only connect to his node, and to other blame absorbers, and to the nodes which send the data out. -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. signature.asc Description: Digital signature ___ chat mailing list chat@freenetproject.org Archived: http://news.gmane.org/gmane.network.freenet.general Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/chat Or mailto:[EMAIL PROTECTED]
Re: [freenet-chat] Crazy idea: How trust in darknets enables secure democratic censorship
Matthew Toseland [EMAIL PROTECTED] wrote: How long would it take for the community to identify the outer layer of evilnet? Even a single person should be able to protect the inserter with 4-6 layers of blame absorbers. It would be obvious that every single evil insert has gone through that person's node. One of that person's nodes. And nobody would know that the nodes belong to the same person. Because he has one node that connects to the rest of the network. After I establish my first node on a darknet I can create a new node and have it connect to my first node. If the net is somewhat popular I should be able to find people who want to join. I give them the address of my new node. Sooner or later some of the newbies will make connections to other nodes. Now my new node is established on the network and I can start establishing the next one. Once I have a few established nodes I cut the connections between them and use them to form the outer layer of my evilnet. ___ chat mailing list chat@freenetproject.org Archived: http://news.gmane.org/gmane.network.freenet.general Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/chat Or mailto:[EMAIL PROTECTED]
Re: [freenet-chat] Crazy idea: How trust in darknets enables secure democratic censorship
On Wed, Jul 13, 2005 at 04:00:25PM +0200, Rainer Kupke wrote: Matthew Toseland [EMAIL PROTECTED] wrote: How long would it take for the community to identify the outer layer of evilnet? Even a single person should be able to protect the inserter with 4-6 layers of blame absorbers. It would be obvious that every single evil insert has gone through that person's node. One of that person's nodes. And nobody would know that the nodes belong to the same person. Oh, they would. Because the only way to get onto a network is to connect to people who know you. This means you have a severely limited number of connections to the rest of the network. This is a property of any darknet. Because he has one node that connects to the rest of the network. After I establish my first node on a darknet I can create a new node and have it connect to my first node. If the net is somewhat popular I should be able to find people who want to join. I give them the address of my new node. Sooner or later some of the newbies will make connections to other nodes. Now my new node is established on the network and I can start establishing the next one. You'll be severely limited nonetheless. Once I have a few established nodes I cut the connections between them and use them to form the outer layer of my evilnet. -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. signature.asc Description: Digital signature ___ chat mailing list chat@freenetproject.org Archived: http://news.gmane.org/gmane.network.freenet.general Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/chat Or mailto:[EMAIL PROTECTED]
Re: [freenet-chat] Crazy idea: How trust in darknets enables secure democratic censorship
On Tue, Jul 12, 2005 at 01:03:08PM +0200, Rainer Kupke wrote: Matthew Toseland [EMAIL PROTECTED] wrote: There is an argument that unpopular content will fall out of the current Freenet; it won't if the original insertor keeps on pushing it back in. What if you simply make it more difficult to push stuff back in? When a node drops data have it remember the hash for a *long* time. If somebody tries to reinsert the data just act as if the insertion was successfull and ignore it. What if they just insert it locally on their own node and then propagate it by requests? We can't interfere with requests propagating data without dire consequences, and only dealing with inserts would be impotent. -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. signature.asc Description: Digital signature ___ chat mailing list chat@freenetproject.org Archived: http://news.gmane.org/gmane.network.freenet.general Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/chat Or mailto:[EMAIL PROTECTED]
[freenet-chat] Crazy idea: How trust in darknets enables secure democratic censorship
Matthew Toseland [EMAIL PROTECTED] wrote: When a node drops data have it remember the hash for a *long* time. If somebody tries to reinsert the data just act as if the insertion was successfull and ignore it. What if they just insert it locally on their own node and then propagate it by requests? If my understanding of request routing is correct a request will be routed toward the region of the net where the requested data *should* reside. They will be able to insert their data on their own node. To propagate the data they have to make requests to other nodes. Those requests will be routed toward the region of the net where the requested data *should* reside and fail there. The only exception is when they control nodes that are right where the data should reside. Then they can insert locally and propagate the data with a few requests from random nodes. Unless they operate lots of nodes they won't be able to do this for a relevant portion of their data. We can't interfere with requests propagating data without dire consequences, and only dealing with inserts would be impotent. I don't suggest to change the behaviour of requests. If an insert is unable to place the data where requests will find it the requests will fail and the data will not propagate. ___ chat mailing list chat@freenetproject.org Archived: http://news.gmane.org/gmane.network.freenet.general Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/chat Or mailto:[EMAIL PROTECTED]
Re: [freenet-chat] Crazy idea: How trust in darknets enables secure democratic censorship
Well, sometimes it's legitimate to reinsert data... On Tue, Jul 12, 2005 at 04:06:08PM +0200, Rainer Kupke wrote: Matthew Toseland [EMAIL PROTECTED] wrote: When a node drops data have it remember the hash for a *long* time. If somebody tries to reinsert the data just act as if the insertion was successfull and ignore it. What if they just insert it locally on their own node and then propagate it by requests? If my understanding of request routing is correct a request will be routed toward the region of the net where the requested data *should* reside. They will be able to insert their data on their own node. To propagate the data they have to make requests to other nodes. Those requests will be routed toward the region of the net where the requested data *should* reside and fail there. The only exception is when they control nodes that are right where the data should reside. Then they can insert locally and propagate the data with a few requests from random nodes. Unless they operate lots of nodes they won't be able to do this for a relevant portion of their data. We can't interfere with requests propagating data without dire consequences, and only dealing with inserts would be impotent. I don't suggest to change the behaviour of requests. If an insert is unable to place the data where requests will find it the requests will fail and the data will not propagate. -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. signature.asc Description: Digital signature ___ chat mailing list chat@freenetproject.org Archived: http://news.gmane.org/gmane.network.freenet.general Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/chat Or mailto:[EMAIL PROTECTED]
Re: [freenet-chat] Crazy idea: How trust in darknets enables secure democratic censorship
I'm not sure that what you suggest is possible or helpful... It is inevitable that content's popularity will vary from time to time... And with per node failure tables it should be possible to find it on the occasional somewhat-off-specialization node with a big store given enough requests... On Tue, Jul 12, 2005 at 08:34:13PM +0200, Rainer Kupke wrote: Matthew Toseland [EMAIL PROTECTED] wrote: On Tue, Jul 12, 2005 at 04:06:08PM +0200, Rainer Kupke wrote: When a node drops data have it remember the hash for a *long* time. If somebody tries to reinsert the data just act as if the insertion was successfull and ignore it. Well, sometimes it's legitimate to reinsert data... It is still not impossible to reinsert data. It just depends on the value of long time. There is only a problem for data that has recently fallen out of the net. How about this variant of my suggestion: If somebody tries to reinsert the data forward the insert as always, but never cache the data yourself. The insert will be routed as always. If all nodes in the target area have the data blacklisted it will not be inserted. On the first reinsert there should be some nodes that don't have it blacklisted. The result should be good enough, especially if there are people waiting for the data (and generating requests until it shows up). Subsequent inserts will become more and more difficult as more nodes blacklist the data. Obviously the value of long time must be large enough that all nodes in the target area eventually blacklist unpopular data if it is reinserted in short intervals. Maybe long time should be dependent on how often the data has dropped out of the net. -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. signature.asc Description: Digital signature ___ chat mailing list chat@freenetproject.org Archived: http://news.gmane.org/gmane.network.freenet.general Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/chat Or mailto:[EMAIL PROTECTED]
[freenet-chat] Crazy idea: How trust in darknets enables secure democratic censorship
Here's a really whacky idea I came up with on the train back from Strasbourg (please read the whole email before flaming me): Personally I support Freenet being uncensorable and providing untraceability for posters, because there is no way to prevent censorship abuses by the powerful (including governments and corporations), while still allowing censorship to prevent e.g. child porn. I propose below a means that could provide some form of self regulation, under locally democratic control, which would provide a powerful deterrent to people posting objectionable materials. This is only possible because of the trust relationships underlying a scalable darknet such as Freenet 0.7/Dark. There is an argument that unpopular content will fall out of the current Freenet; it won't if the original insertor keeps on pushing it back in. Maybe, just maybe, we can have our cake and eat it too. The result would be that freenet could be far more mainstream, usable by far more people (e.g. oppressed religious groups in china are likely to object to all the kiddy porn on freenet), and its content would reflect what its users want rather than what the state wants. Definition: Premix ID: - Each node has two identities. One is its pubkey and physical location to connect to it. This is only given out to its immediate peers, and they may not forward it, on a darknet. The second is its premix pubkey. This is the key which is used to encrypt premix-routed traffic which is sent through the node. This is public, along with the node's connections, in order for premix routing to work through the darknet - we have to expose the network topology in order for premix routing to work. Client C finds some content he finds objectionable. He sends out a Complaint to his friend nodes. This contains a pointer to the objectionable content, and possibly C's premix ID (I'm not decided on this bit). Users can then verify the complaint - voting for it to be upheld or not and for what sanctions to be applied. If it is not upheld by enough nodes it is not propagated, so complaint spamming will be severely limited. Each node can decide whether the complaint is upheld. It will take into account its own vote if any (weight 1), the votes of its friend nodes (weight 1), and the votes of those nodes connected to its friend nodes (probably weighted 1/n where n is the number of nodes connected to a given friend node). There would be turnout requirements (say 2/3), and supermajority requirements which depend on what sanction is called for. If the complaint is upheld, then the network will attempt to trace the insertor, and possibly any requestors, of the data: If a node was on the insert path, AND it considers the complaint to have been upheld, it will check its records and attempt to trace the request. As will the next node on the chain. The original insertor will be found, and its premix ID exposed. Possible sanctions are: - Reprimand; upheld complaint is recorded on the node's record - Premix disconnect; node may no longer use premix routing - Full disconnect; node may not remain connected to the network. Requires a larger supermajority. - Blow the node; node's IP address is broadcast (endangers the network itself, would require 80% or so majority, and could be turned off on some networks). The idea here is that we produce a deterrant. Nodes won't insert content regarded as bad by the majority of a particular network, because of the risks involved, and therefore complaints should be rare. The content itself would be blocked, but only after the vote, which could take a reasonable time - say 2 weeks - during which any interested individuals could inspect the objectionable content (many will simply follow others, but this is not a problem as the content _is_ available; provided the system works, complaints will be rare and people will not have to browse through filth on a regular basis). This should keep the whole process accountable. If the original insertor is not found, we can get as close as possible. Since there will likely be several blocks to trace (even if the objectionable content is a single file), and since we know the network topology, we can do some form of correlation attack - and narrow it down to a particular area of the network. If it is one node, we can take the above sanctions; if it is a group of nodes (or a particular link or set of links), then we can break those connections and fork the network into two disconnected darknets with different standards (it should be reasonably easy to determine this given enough data to trace). Votes would have to be public for this to work (at least, public to nearby nodes). There is no secret ballot. On the other hand, since we are assuming that Freenet nodes are illegal in any case in the long term on a darknet, and since nobody who isn't trusted by you can find your IP address, people should be able to vote in accordance with their consciences. Technical forms of voterigging