[tor-talk] CloudFlare grarpamp

[Lucia Liljegren]

Reply to:
Date: Fri, 19 Apr 2013 10:32:54 -0400
From: grarpamp <grarpamp at gmail.com>
To: tor-talk at lists.torproject.org
Subject: Re: [tor-talk] CloudFlare


>Some of them even have that as their advertised featureset,

This was precisely my point. It also shows why you were utterly incorrect to suggest that

> "Though I don't think I'd apply a permaban, because whatever IP is bothering you will eventually get 
> pulled at the source before long. Unless their profits come from spam, bribing Russian officials 
> with cracked CC's, etc." 
(Date: Thu, 18 Apr 2013 19:39:42 -0400 From: grarpamp <grarpamp at gmail.com> To: tor-talk at lists.torproject.org Subject: Re: [tor-talk] CloudFlare) 


The reality-- as it appears you full well know-- is that some services advertise their willingness to permit people continued access to IPs to make any requests they please even if their requests bother me the owner of the resource they wish to access.

>And here we are alongside EFF and many others fighting for those
>same services, open wifi and other's right to even exist. 

You can fight for the services all you wish. It's even fine with me if they exist. But if ranges which carry a lot of spamming/crackacking/scraping exist, then  those who on the receiving end of those unwelcome attackes and who can easily identify these ranges dominated by that sort of requests are going to block those ranges.  The alternative is to have a server hammered so it crashes under the load. Or for hobbiest, if those ranges remain unblocked the server costs would be so high they cannot run their own blog to discuss things with their own readers. 

>Can anyone imagine a world where users are in control of their own
>privacy and data, can speak freely, securely and directly amongst
>themselves and can utilize services without undue regard to where
>they are, who they are, or who came before?

Can anyone imagine a world where small time bloggers and mom and pop stores can run their sites without their servers bogging down under the groaning load of scrape bots, hack bots and spam bots hammering day in and out?

>We're talking about end users using Tor to access services, not
warfare between businesses :)
I thought we were also discussing 
a) Cloudflare's policy toward blocking Tor.
b) End users blocking Tor  
c) Reasons why they  might block TOR and 
d) Reasons why one might IP block permanently.

Specifically, I thought I was engaging your comment that you would not ban an IP permanently and your theory why one ought not to ban them permanently.

You brought up your sad tale about the unnamed dating service canceling your service for some reason you find unfathomable. I speculated that you had, indeed, used a dirty IP range. But evidently, you didn't enquire the reason for the block and moved on. So we don't know.

With regard to that incident, you claim 

>> This particular service had no published policy against using Tor
and no 'for cause' behavior existed

We have to take your word for everything in your claim because 
(a) we don't know the name of the dating service so we can't look up their TOS and 
(b) other than connecting from a Tor IP in Brazil, we don't know what you else might have posted or done.  

Moreover, we don't even know if they banned you for using TOR. You don't even know why they banned you.  For all we know you wrote something you think is inoffensive but another customer found offensive. 

>I disagree with the notion that blocking causes no injury towards users.
You are free to disagree. But I think just as no one owes you free access to their living room, or free pancakes in their restaurant, no one owes you free access to their services.

> Whether we like or admit it or not, those services are a part of society, even growing as society develops
to the point of being expected and necessary

Restaurants, gas stations, bookstores and libraries area also part of society and provide services. As far as I am concerned, those that do not give you free pancakes, gas, books or permit you to check out library books with no identification are not doing you any injury.  They have a right to do this even if you wish they would behave differently. 

>When they block users without individual cause, they deny them the right to participate in that part of society.
The place where you are going wrong is not understanding *who* gets to decide on what constitutes individual cause for being blocked.  In any case, if you think the world needs a dating service that permits https access using TOR, you are likely free to start one, market it and carry the costs and liabilities associated with the service. If it's popular, you will profit. 

> We may be reaching the point that if I were a giant US based service and decided to block all of California
>because there are some bad people there, I might well be facing a civil lawsuit, and for good reason.

Are we reaching such a point? I'm under the impression we are nowhere near there and I sure hope we never will get there.  I would suggest that most privately held services should be free to block all of California for any reason they wish  Amazon.com blocks people living in states with certain types of salestax laws from joining the affiliate program; I got dropped for that reason.  I think Amazon.com should be free to do this if they wish. 

>I'd certainly be subject to bad review, upstart competition and a fleeing userbase. Which might all
>seem to nullify my action, but woes for the time lag needed for that to happen with giant services. During that time, >I've caused injury to a whole swath of people.

I thought you said our conversation was not about "warfare between businesses :)" Yet, here you are bringing it up again.  

If a business makes a business decision permissible within the law, they will either gain or lose customers and profits as a result of their business model. As far as I am aware, blocking California, closing on Sunday, being open only 8 hours a day, serving breakfast items only between 4 am and 10 am or blocking TOR are allowed.  It's true that some people might write a poor review complaining of this particular business policy. Business owners are likely to bear that in mind when making these policies.

>Some employers allow use of the net for non-work things. That doesn't
>mean a user should trust them, their staff or their non snooping
>policy, which if you read it is probably riddled with holes anyways.

I didn't say you should trust them not to snoop. In fact, I would strongly advise against it. Depending on your employer, they may be legally required to keep some records, and those records could be divulged under a supoena under FOIA or any number of other ways.I said if you don't want your employer to know you are visiting dating sites while at work you could consider not visiting dating sites at work. 


Whatever you chose to do, your desire to mask your activities from your employer does not create an obligation on the part of the dating site to provide you https services or permit TOR. The dating service can provide the services it sees fit and you can chose to become their customers or not. They can also refuse you access to their service within the constraints permitted by law. Your grousing about a need for privacy doesn't take away their right to make their own business decisions. 

>We also now know as individuals a bit about how to
>evaluate online risks. And as humans, we have always known pretty
>well how to avoid at least physical risks in the real world.

One of the things "we" as "individuals" know is that if someone you've never met in person and who no one you know has ever met makes themselves untraceable, they might be risky dating material. (Or at least "I" singular as an "individual" singular know this.)

>Which one should the
>user trust or question... the one that claims to protect them, or
>the one that leaves that important business up to them?

I didn't say the dating company that blocks TOR is *making a claim*. However, it seems the one that banned your account might be operating in a way that leaves some bread crumbs that police might follow in the event of a horrible tragedy.  You may not like this but other users might find it an attractive feature. To be truthful, if I were dating, I would prefer the dating service to block Tor.  I would prefer an American dating service to block proxy connections from Brazil. I would want them to take payment in the form of traceable credit cards. 

I don't take that behavior as making any claim of full safety nor do I take it as guaranteeing safety. But the fact that a potential date is not untraceable in the event of a tragedy provides an element of security to a single woman in the dating world.  Likely men too. 

>Yet I won't vote for police protectors on every block or hire my own
>security force.
No one is suggesting any such thing. Resorting to overblown hyperbole-by-metaphor does not constitute making a convincing argument for whatever point you are trying to make about the importance of privacy.  Blocking TOR or IP ranges that have previously hacked scraped or spammed is not like having police protectors on every block  nor is it like hiring one's own security force. It's more like not permitting a four big tough looking guys wearing ski masks to enter the isolated quicky-mart at midnight in July. Or maybe like having security cameras. Or maybe something in between. 

> Therefore many of us try to
> maintain user's freedom to manage their own affairs, have access
> to services large and small (with HTTPS and Tor), and put up with
> a little spam in our so found tiramisu :)

I've never said you should not be allowed to do so. I'm ok with your using TOR. But you've been complaining that people block by IP which as far as I can tell does nothing more than inconvenience you. 

I'm explaining to you why other people might block by IP and include TOR in those blocks.  I think you should be free to manage your own affairs and use Tor assuming those inconvenience that might arise as a result of your choices. 

I think bloggers, web site owners and service providers should be equally free to decide to protect themselves from floods of bruteforce attacks on wp-login.php , swarms of scrapers making 10 requests a second  preventing their server logs from filling up with requests for plugin vulnerabilities or RFI attack/SQL injection attacks. IP blocks are a tool that can greatly reduce the bombardment. It can't be used alone, but it is somewhat effective.   If they happen to block you on TOR, that's a risk some are willing to take. As they have no obligation whatsoever toward you, you may be annoyed, but you aren't being injured any more than if you were not served pancakes at the IHOP simply because you requested the restaurant accept payment by check without requiring a valid ID. 


It's fine to insinuate the reason you aren't being served the internet equivalent of pancakes you feel you deserve is that the restaurant owner is trying to keep mere spam out of the tiramisu. But your misunderstanding or misrepresenting the very real issues that causing people to ban by IP isn't going to persuade anyone to stop doing it. It isn't going to make them feel remotely stupid for blocking by IP or blocking Tor.  You can yap about your need or right for privacy all you want. But those services that are trying to protect against RFI attacks or falling prey to zero day vulnerabilities are going to ban by IP focusing on IPs in ranges that are attractive to those who wish to do these things and which have been used to do these things. 

Until better ways exist, that's going to include blocking TOR.