Name: the distbb guy 2013-11-10 19:29
Hi. I have not forgotten about you. I have, however, been drowning in work (and I still am).
I've realized that the design of DistBB allows an attacker with low to moderate resources to track down the exact node that posts something, simply by polling every node at short intervals and seeing where the node appears first. If nodes are hidden services (Tor or I2P or otherwise), the attacker doesn't immediately find out the poster's identity, but can accumulate a large number of posts coming from their node and figure out your identity from that. Unless, of course, the poster slips up at any point. This is a definite privacy leak.
So far every solution for true anonymous posting I've come up with involves either reimplementing a whole web-of-trust scheme (and using that as a remailer system), a proof-of-work system, or a CAPTCHA. The obvious constraint is preventing spammers from posting far faster than moderators can keep up with.
Web-of-trust sounds, and is, fairly complicated. It would definitely stray away from the goal of simplicity of the project.
Proof-of-work may work out to be sufficiently simple. The main problem is then that users with low resources will be penalized. The system may also not be entirely effective against spammers with large amounts of resources.
Finally, offering both textual and visual CAPTCHAs should be a viable solution, at the cost of some simplicity.
My proposal is as follows: Keep the anonymous posting part separate from ``the'' DistBB protocol, and specify a separate anonymous posting protocol with proof-of-work and CAPTCHA methods.
If you have better ideas I want to hear them.
Otherwise, the actual challenge is in designing a simple yet effective textual (and maybe visual) CAPTCHA system.
I've realized that the design of DistBB allows an attacker with low to moderate resources to track down the exact node that posts something, simply by polling every node at short intervals and seeing where the node appears first. If nodes are hidden services (Tor or I2P or otherwise), the attacker doesn't immediately find out the poster's identity, but can accumulate a large number of posts coming from their node and figure out your identity from that. Unless, of course, the poster slips up at any point. This is a definite privacy leak.
So far every solution for true anonymous posting I've come up with involves either reimplementing a whole web-of-trust scheme (and using that as a remailer system), a proof-of-work system, or a CAPTCHA. The obvious constraint is preventing spammers from posting far faster than moderators can keep up with.
Web-of-trust sounds, and is, fairly complicated. It would definitely stray away from the goal of simplicity of the project.
Proof-of-work may work out to be sufficiently simple. The main problem is then that users with low resources will be penalized. The system may also not be entirely effective against spammers with large amounts of resources.
Finally, offering both textual and visual CAPTCHAs should be a viable solution, at the cost of some simplicity.
My proposal is as follows: Keep the anonymous posting part separate from ``the'' DistBB protocol, and specify a separate anonymous posting protocol with proof-of-work and CAPTCHA methods.
If you have better ideas I want to hear them.
Otherwise, the actual challenge is in designing a simple yet effective textual (and maybe visual) CAPTCHA system.