[OSM-talk] threats

[Martyn Welch]

On Sunday 23 July 2006 12:19, Immanuel Scholz wrote:
> In other words, if there is a possibility to look at history and revert
> changes, then the above concern is nil?
>

No - because it would depend on the frequency with which this kind of action 
would require to be taken. If anonymous access caused one or two random 
idiots, who sat on dynamic IP connections, to decided to delete all the data 
on a regular basis, ensuring all the data was reverted would become a 
ball-ache. It would then require blocking by IP, since these IPs are dynamic 
this could potentially stop innocent parties from editting OSM if they ended 
up with these IPs later.

> *finger crack*.. This item was long enough on the wishlist..
>

And there is a lot of coding involved to make this kind of thing stable and 
usable - that's why it's still there no doubt.

> > Second, if anyone uses that account to upload copyrighted data and we
> > get a cease and desist then I have to remove everything that account
> > did.
>
> Removing everything that is copyrighted is another option,

If the courts decide that this is appropriate or the other party agrees, that 
given they have a vested interest in minimising competition it is likely they 
won't. They'll want to get as much deleted as possible. 

> removing everything that was contributed the last 2 days over this
> account is an option.

Which could be a lot if anonymous access gets popular.

> And removing everything that was contributed by a specific IP-Address
> over this account is an option too (but would mean that we have to log
> IP's - like wikipedia does).
>

Which isn't fool proof - Dynamic IPs.

> Removing everything is an (very drastic) option, sure. But it is not the
> only and probably not the best.
>

Or people could just sign up for accounts and we delete based on account...

>
> BTW: Having many bogus accounts does not help this issue much, as long
> as accounts can be created automatically. Captchas?
>

Accounts shouldn't be *that* easy to create.

> > Third, it's just not due diligence to allow it.
>
> I don't understand this.
>

http://en.wikipedia.org/wiki/Due_diligence

> > There are arguments for allowing ip address-based editing like wikipedia
> > but it's not implemented at all.
>
> Ok, so if I implement IP logging, this concern vanishes? I am fine if
> the IP is not displayed along with the data.
>

I'd like to see how you propose to close the flaws in IP logging approaches.

> > So we went on to IRC as jabber instant message was having problems
> > (transcript below, please read, I've just removed his password). Imi
> > published his user/pass for OSM (thus compromising everything above) and
> > said if I deactivate the account then he's off for sure. I asked him to
> > reconsider, see below.
>
> My announcement about the deactivation was, of course, if the account
> get deactivated only because I made the password public.
>

If you publically on purpose published a generic username and password for an 
account on a service/machine I admined I'd want to do a lot more violent 
things than deactivate you account. I think that Steve's being very 
withstrained in not deleting your account PDQ.

> > These kind of threats are _unfair_, and having them linger is unfair.
>
> I don't see it as a threat. Instead, I want to show by example, that
> Steve can not stop people from beeing anonym if they want so.
>

In the way you did it - yes he can. He simple deactivates your account.

People have plenty of scope to be as anonymous as they want.

If you want an anonymous email address, try this: 

http://mixmaster.sourceforge.net/

Call your self "john smith".

> I showed this by example and made my account public, so everyone can use
> this.
>

I think your argument is flawed. It appears as a threat to me:

"Give everyone an anonymous R/W account or I quit"

or more accurately:

"I have setup an anonymous R/W account for anyone to use. Keep it open or I 
quit"

> (Steve wrongly assumed, that an identity can be associated to a people
> by a secret, even if that people does not want to be identified. That's
> a common mistake in cryptography. 

No, he wants peoples edits (as anonymous people or not) to be distinguishable.

> Everyone can reveal his own secret and 
> claim not to be the associated because the secret was revealed)
>

Which *should* be classed as abuse of the terms and conditions of having an 
account, so you *should* still be liable.

> > The other thing is the claim that I am trying to stop anonymity. Given
> > the flak/flames I took for not releasing everyones login details, their
> > gps traces etc (the entire database)... I'm just perplexed.
>
> I want to make a clear cut between
> - allow people to be anonym
> - try to reveal identities of people, even if they want to stay anonym
> - since currently there is no (official) anonymous account, we can
> assume, that all people who want to be anonym have used bogus accounts.
>

I think the cut should be made between:
1) Read access to the data
2) Write access to the data

I agree with having non-account access to read the data.
I don't agree to having write access without an account.

> > Imi, please reconsider and let me change your password now its out in
> > the open.
>
> Well, ok. Change the password (it was silly anyway :). I just want to
> demonstrate, that anonymity can not prevented by knowledge of secrets.
>

I'd have said:
s/silly/foolhardy/

I don't think the point is to know *who* everyone is, just to delineate the 
changes made by each individual.


-- 

Martyn Welch (martyn at welchs.me.uk)

PGP Key : http://www.welchs.me.uk/martyn/pgpkey/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://lists.openstreetmap.org/pipermail/talk/attachments/20060724/2a65338c/attachment.pgp>