Hacker News new | past | comments | ask | show | jobs | submit login

Tor can be used for good and for bad. It's the very same problem that Cory Doctorow talks about in his lectures about the War on General Purpose Computing, and it's not an easy problem to solve.

I'm an admin on a social/gaming site (a MUD with appendant forum, blogs, and other community elements), and we have had to make a few decisions about Tor in the last couple of years.

Some background: the site is quite old, and we have historically encouraged users to sign up without needing to provide a unique ID such as email address. They _can_ provide one, but don't have to. In the last few years we have had the problem of occasional griefers log on and cause whatever social havoc they can.

Now, my personal feelings about Tor are generally quite positive, and I like the freedoms it provides people who are otherwise restricted by their ISPs or governments from accessing legitimate resources. Like many others have said, Tor is a tool that, while it can be used to do illegal things, is also used to provide a very useful service to people who need it to get on with things you and I take for granted.

Now, back to our griefers: We have a number of banning mechanisms based on IP or domain, and they tend to be successful because griefers usually get bored when they can't access the site for a couple of hours. However, because a tiny minority of griefers are more persistent, more technically adept, and figured they could use Tor to damage our community, we did a little bit of analysis and found that few if any legitimate users of our site came from Tor exit points, and we chose to block them. The alternative was to require a unique identity during the sign-up process, and frankly we wanted as few hurdles as possible to new users (anyone who knows the MUD community knows that it's in decline, and low-friction signups are pretty desirable). So we blacklist Tor exit points from our signup process.

The unfortunate fact is that some Tor users do bad things with the fantastic tool at their disposal, and end up spoiling it for the legitimate (and extremely valuable) use cases that make it such an amazing tool. Yet its very anonymity means that there is no easy way to allow one set of uses while disallowing others. This is a hard problem, and one I'm not smart enough to solve.




This problem may very well grow as IPv6 gains adoption. IP address won't be a viable indicator of identity.

What we need is a distributed, pseudonymous reputation system. In this way, honest users would have no problem signing up for services such as yours, but griefers would have much more trouble, because there would be a very real cost each time they destroyed one of their pseudonymous identities.


I'd be interested to know what MUD it is. :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: