Hacker News new | past | comments | ask | show | jobs | submit login

This is exactly what is wrong with this form of idealism. People create these things which remove accountability/reputation, it works great for awhile and is lots of fun (just like a mask party), and then the leeches move in and use it for spam/trolling/illegal stuff. It's usually the leeches who are the real long-term beneficiaries of these kinds of networks. However, the idealistic people who originally created it don't want to admit that their experiment failed and they actually created something which is now serving the interests of something not so idealistic and perhaps even quite sinister.

Bitcoin has the same issue: there are lots of legit uses of it, but to make it a good widely used currency, a reputation system is going to emerge, and from there you've already erased half the benefits of using Bitcoin. However, in the mean time Bitcoin is used by a bunch of people purely interested in speculation or as a way of avoiding taxes/money laundering laws/etc. There are people, just like Tor, using it for legit reasons, but my bet it's for mostly reasons nobody in the Bitcoin community likes to admit.




Exactly. But I strongly disagree.

You don't blame mask manufacturers for malicious people wearing masks.

It's like city guards banning everyone with a mask from entering and issuing IDs to them. Then they're using those IDs to determine what they should and shouldn't see in the city, tracking them everywhere "across cities" etc.

In the interest of privacy, it is best to instead use the dynamic nature and types of the requests to figure out what the behavior is like.

Going with the mask analogy, they should instead check if a person is brute forcing lock combinations. Maybe even condition on the fact that they're wearing a mask.


> Going with the mask analogy, they should instead check if a person is brute forcing lock combinations. Maybe even condition on the fact that they're wearing a mask.

That's what they're doing. They are seeing brute forcing come from a bunch of IPs and they're blocking those. What do you expect them to block on? The people using the anonymous service voluntarily identifying themselves on every request (cookies, browser fingerprinting, or pretty much anything else coming from the client side that can be faked)?


Instead of having IP-based reputation system, that persists for quite a while, they could have a time limit per IP for specific kinds of requests.

Like if you fail to log in to a site, 2^(attempts) timeout from that IP for that page only. Can also integrate a combination of request headers. Sure, it's still IP-based reputation, but it doesn't persist and is much less intrusive.

Most sites require specific cookies on consecutive requests, and such blocking should be on the app side only.

There are solutions in each case and all of them are harder than IP-based blocking. However, in the interest of privacy, they should adopt these more nuanced solutions.


So a single IP address can DDoS each page of a website for a little while before CloudFlare blocks them? That makes the whole protection pretty useless. I guess it would stop someone from brute-forcing password attempts, but that's not the only thing they're trying to protect against here.


Not necessarily. These work in combination.

If they're requesting specific type of content like images or some weird request that queries DB, these would be grouped together.

What I'm saying is gather more information for each request and use it more wisely to expire IP reputation quicker - within minutes as opposed to months.

The DDoS problem is actually easier than the rest because you need a large volume of requests to do anything. Usually these requests are very similar, come in rapid succession and come from the same bunch of IPs.

Edit:

Going with the mask analogy again, it's like you see 1000 masked people rush into a bar and block the entrance with their bodies.

Is the solution really to ban wearing masks everywhere?


A single IP can't "DDoS" anything.


Ha! Seriously though if some set of IPs is DoSing then they have to take action against at least some of the IPs in the set.


> It's like city guards banning everyone with a mask from entering and issuing IDs to them.

The flaw in this analogy is that in this case the mask makes every person completely indistinguishable from every other person wearing the mask. In this case, one ID is issued to every person wearing the mask.

When 90%+ of the people with this ID are criminals and vandals, blocking anyone with this ID is a pretty obvious and effective way to prevent crime and vandalism. It's seems pretty reasonable to me when presented this way.


That's a crazy thing to do. Why would you block everyone? This would completely erode privacy online.

As I said elsewhere, if you see 1000 masked people rush into a bar and block the entrance with their bodies, is the solution to block all masked people from going to all establishments?

Clearly, if this happened IRL, people would just put a limit on the number of masked people entering that bar until there wasn't a group of 1000 of them trying to get in.


>Clearly, if this happened IRL, people would just put a limit on the number of masked people entering that bar until there wasn't a group of 1000 of them trying to get in.

IRL, the bar would call the police and anti-riot forces would move in with crowd control equipment. Tear gass would be launced at the masked people and a lot of the masked people would be hauled to the police station where their identity would be recorded and a background check would be performed. It's not pretty but it's reasonable.

I have used Tor out of a legitimate wish for privacy. I have cursed Cloudflare and Google in passing to myself for their captchas presented to me when I've browsed through Tor.

Captchas in general are a royal pain in the butt, but they are among the most effective at protecting sites from abuse, so even though they annoy me at times, I hold the view that they are a net positive.

If you want to help preserve anonymity, I think the best course of action is not to focus on Clouflare, but instead to help maintain one or more communities on onion sites. The change must come from within. Once it has been shown that an onion site is able to provide useful services over time with privacy but with the same level of protection from abuse and bad people, then, in my view, it is time to reach out and educate the wider 'net on how this can be done.


Except tell the individuals apart and so you can't limit it to 1,000 individuals. You can't just let some in if you can't tell them apart. There is no door that works that way in this case.

It's best to imagine it's a walk-up bar rather than one with a door.


> As I said elsewhere, if you see 1000 masked people rush into a bar and block the entrance with their bodies, is the solution to block all masked people from going to all establishments?

Try wearing a mask into a petrol station or convenience store. They've already performed the assessment of 'potential sale vs getting robbed', and decided the risk factor they'd like to accept.


That's because IRL you're already pseudo anonymous.

Now imagine a convenience store that demands you to tell them where you've been this month and doesn't let you in otherwise.


It's a problem inherent in any system offering pure anonymity in an unrestricted way.

It's really a shame. An opinionless platform offering anonymity cannot flourish in an opinionated world. At some point if these things want to succeed, they need to play by the rules of the world that they exist in. But I don't think anyone's figured out a common set of systemic restrictions that Tor, 4chan, etc. can implement that avoid taking away their primary affordance: freedom.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: