My example means that unless TOR is hard blocked attackers can create 6 accounts per day on there home IP and just wait till they go stale and use 6 attack accounts per day. There isn't a need for infinite accounts, just that soft blocking is pointless in this case
On Wednesday, October 1, 2014, Brian Wolff <bawo...@gmail.com> wrote: > On Oct 1, 2014 3:56 PM, "Derric Atzrott" <datzr...@alizeepathology.com > <javascript:;>> > wrote: > > > > Another idea for a potential technical solution, this one provided > > by the user Mirimir on the Tor mailing list. I thought this was > > actually a pretty good idea. > > > > > Wikimedia could authenticate users with GnuPG keys. As part of the > > > process of creating a new account, Wikimedia could randomly specify the > > > key ID (or even a longer piece of the fingerprint) of the key that the > > > user needs to generate. Generating the key would require arbitrarily > > > great effort, but would impose negligible cost on Wikimedia or users > > > during subsequent use. Although there's nothing special about such > GnuPG > > > keys as proof of work, they're more generally useful. > > > > As a proof of work I think it works out pretty well. The cost of > creating > > a key with a given fingerprint is non-trivial, but low enough that > > someone wishing to create an account to edit might well go through with > > it if they knew it would only be a one-time thing. > > > > This doesn't completely eliminate the issue of socks, but honestly if we > > make the key generation time reasonably long, it would probably deter > > most socks as they might as well just drive to the nearest Starbucks. > > > > Someone else on the Tor mailing list suggested that we basically relax > > IPBE, which while not on topic for this list, I thought I'd mention > > just because it has been mentioned. They actually basically > > described our current system, except with the getting the IPBE stage > > a lot easier. > > > > The following was also pointed out to me: > > > > > [I]t's also trivial to evade using proxies, with or without Tor. > > > Blocking Tor (or even all known proxies) only stops the clueless. > > > Anyone serious about evading a block could just use a private proxy > > > on AWS (via Tor). [snip] The bottom line is that blocking Tor harms > > > numerous innocent users, and by no means excludes seriously malicious > > > users. > > > > I did respond to this to explain our concerns, which is what netted > > the GPG idea. Does anyone see any glaringly obvious problems with > > requiring an easily blockable and difficult to create proof of work > > to edit via Tor? > > > > Thank you, > > Derric Atzrott > > > > > > _______________________________________________ > > Wikitech-l mailing list > > Wikitech-l@lists.wikimedia.org <javascript:;> > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > The problem with proof of work things is that they kind of have the wrong > kind of scarcity for this problem. > > *someone legit wants to edit, takes them hours to be able to. (Which is not > ideal) > *someone wants to abuse the system, spend a couple months before hand > generating the work offline, use all at once for thousand strong sock > puppet army. (Which makes the system ineffective at preventing abuse) > > --bawolff > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org <javascript:;> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
