[tor-talk] tor-blocking sites

Mike Perry mikeperry at torproject.org
Thu Feb 9 23:10:05 UTC 2012 

Thus spake Maxim Kammerer (mk at dee.su):

> On Thu, Feb 9, 2012 at 05:44, Mike Perry <mikeperry at torproject.org> wrote:
> > If you read the ticket, the design sketch does not require constant CPU
> > burning. You would only use the CPU until you built up a sufficient pile
> > of tokens, and you would only do that intermittently.
> 
> Not to raise unnecessary skepticism, but have proof-of-work ever been
> successfully deployed for anything in the real world (besides for
> proof-of-work per se — i.e., Bitcoin)?

As far as I know, no one has ever tried it. Some academics once pointed
out that proof-of-work would not work for email, but that was primarily
because email is often one-to-many. They did not consider one-to-one
activity (like web page access) in their analysis. Perhaps everyone
simply read their work and just assumed proof-of-work could never work
for anything?
https://trac.torproject.org/projects/tor/ticket/4666#comment:6
 
> Did you try to estimate how much CPU work would get one a token once
> such system is deployed full-scale, with spammers (possibly with
> botnets) competing for resources? E.g., you can get a rule-of-thumb
> estimate by putting some dollar value on a token, and looking at the
> generic-CPU work required for an equivalent Bitcoin amount.

The proposed system has two knobs that site admins can use: computation
quantity, and computation freshness. As scraping abuse increases, admins
would be free to set the "price" higher as needed, and require more
recent, fresh computation as needed. When abuse is low, the requirements
can be turned down.

I created these two knobs because what we have seen over the years is
that scraping abuse over Tor is not constant. Every few months, some
jerk decides "Hey, I know, I'll scrape $SITEX and resell the data and
make MEEELIONS", until the bans or captchas go up and they shut down.
Then, all is quiet until the bans expire and the next jerk gets the idea
a few months later. At least, this is the pattern that the Scroogle
admin sees. I assume the situation is similar with Google directly, but
they are very tight lipped.

> Perhaps captchas might look more appealing after that.

Captchas currently cost anywhere from $0.01 to $0.001 to solve. Yes,
that's 1/10 of 1 US cent each:
https://krebsonsecurity.com/2012/01/virtual-sweatshops-defeat-bot-or-not-tests/

If they are working at all now, they work only because they marginally
raise the cost of bulk scraping enough to slow scraping crawls and
reduce the server load back to acceptable levels.

I think tunable proof-of-work could easily beat this very low bar, with
much less hassle for users.



-- 
Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20120209/76c6472d/attachment.pgp>

More information about the tor-talk mailing list