[tor-talk] CloudFlare

[Jacob Appelbaum]

Matthew Finkel:
> On Thu, Apr 18, 2013 at 09:57:06PM +0000, Jacob Appelbaum wrote:
>> Matthew Finkel:
>>> On Thu, Apr 18, 2013 at 09:01:21AM +0000, Matt Pagan wrote:
>>>>> They're based in San Francisco, along with Craigslist (which
>>>>> is another misguided arbitrary blocker of Tor exits).
>>>>> Any other SF based companies that could benefit from
>>>>> a visit or hackerspace talk about why they should not
>>>>> be blocking Tor?
>>>>
>>>> Yelp is based in San Francisco. So is Pinterest. Getting the Wikimedia
>>>> Foundation (also based in San Francisco) to come over would be a huge
>>>> victory, IMO.
>>>>
>>>
>>> Wikimedia is actually willing to discuss an alternative setup if a
>>> usable one is found. Their current implementation is not really
>>> acceptable, but there also isn't really a working/implemented alternative
>>> solution, at this point (and it's not exactly at the top of their list
>>> to implement their own).
>>
>> I was involved in writing the DNSBulkExitList program specifically for
>> Wikipedia at the request of Tim S. At the time, I believe that it was
>> better than simply blocking every Tor node - it only blocks exit nodes
>> that allow exiting to Wikipedia.
>>
> 
> Interesting, I assume this was before Onionoo was around. I understand
> why it was/is necessary.

Isn't it still being used?

> 
>> It is possible to request a special flag on a Wikipedia account that is
>> granted by way of some special handshake. It is possible to take an
>> already created account and use it for edits as the flag overrides the
>> Tor block.
>>
> 
> Yes, and it's a good solution, assuming one already has an account. The
> real issue is creating an account anonymously and then gaining the
> privilege to edit with that account...and...

Right - that and the general class system that it promotes - "hey, you
know someone, cool, you can have anonymity" - whoops. Talk about
liability? One wonders...

> 
>> A workable solution would be to continue to use such a list to detect
>> Tor usage and then to ensure that we now allow new accounts to be
>> created over Tor. The MediaWiki should ensure that HSTS is sent to the
>> user and that the user only ever uses HTTPS to connect to Wikipedia.
>>
> 
> Yes, I completely agree.

How do we make this happen?

> 
>> I think we should ensure that Wikipedia understands that the account was
>> created with Tor and that the user may be using this to circumvent
>> censorship, to protect what they are reading or editing from their local
>> network censors or surveillance regime as well as to protect IP address
>> information that the US currently doesn't really protect (see USA vs.
>> Appelbaum; re: my Twitter case). Since the US can see a lot of the
>> traffic to Wikipedia, I'd guess that this is important worldwide.
>>
> 
> Again, I agree.

Is there a general disagreement about these points in the Wikipedia
community?

> 
>> If the user is abusive and an IP block would normally apply, Wikipedia
>> would not block by IP but would rather use the normal Wikipedia process
>> to resolve disputes (in edits, discussions, etc) and if the account is
>> just being used for automated jerk behavior, I think it would be
>> reasonable to lock the account, perhaps even forcing the user to solve a
>> captcha, or whatever other process is used when accounts are abused in
>> an automated fashion.
>>
> 
> The fear associated with taking this path is that there will be an
> overwhelming amount of "jerk behavior" such that it overwhelms the
> wikipedia community and therefore discourages volunteers from actually
> reviewing edits. The correct course of action is a difficult problem
> (which is why this is likely still unsolved). It may be good to also
> have a trial period where the user must submit x number of edits that
> are not-deemed-to-be-jerk-behavior before they will be able to edit the
> live page, just a thought though.

I have thought of such things too - I think that a random review partner
might be a reasonable purgatory for those that desire privacy - they get
security, privacy and anonymity for reading; if they want to edit, it
takes a bit of effort.

> 
>> Most of that isn't technical - it is a matter of accepting that some of
>> us are not free. Some of us who are not free require systems like Tor to
>> participate in the Free Culture community curated by the Wikipedia
>> community on Wikipedia. Some of us will then be free to be part of that
>> community and perhaps, if we work smartly, other freedoms will follow
>> from the knowledge of the community.
>>
>> All the best,
>> Jacob
> 
> I think people (in general) lose sight of this, often, and it's important
> that we remember why we do what we do, whether supporting a free and
> uncensored internet (and world) or supporting a site that provides a
> wealth of content not (freely) accessable anywhere else.
> 

I agree.

> With respect to the WikiMedia and Tor communities, it seems as if both
> are, understandably, more concerning with furthering their cause than
> figuring out a way to work together (not necessarily the devs of the
> projects, but the communities as a whole). However, as far as I can tell,
> if we're both going to be successful in our goals, we're going to need
> to be able to cooperate and determine a solution that fulfills the needs
> of both groups - at this point it feels as if Tor users prefer to single
> out WikiMedia as not being Tor friendly and the WikiMedia community
> doesn't see the benefit of allowing Tor users to contribute (yes, these
> are harsh generalizations, sorry).

I'll write code, give talks, answer questions, and help in whatever way
might help. I have done similar things in the past for Wikipedia -
please let me know how I might help?

> 
> I really think a solution would be a considerable benefit to everyone.

I agree.

All the best,
Jacob