[p2p-hackers] BitTorrent measurements / fully decentralizedsystems

Enzo Michelangeli em at em.no-ip.com
Wed Dec 15 12:50:55 UTC 2004


----- Original Message ----- 
From: "Adam Lydick" <list-p2phack at ruffledpenguin.org>
To: "Peer-to-peer development." <p2p-hackers at zgp.org>
Sent: Wednesday, December 15, 2004 7:15 PM

[...]
> However, only positive ratings tend to be useful, in such as system, as
> pseudoanonymous identities are "throwaway" by design. If I'm an evil
> attacker trying to raise the rating of my fake/hostile content, I'll
> just discard my current identity as soon as users identify it as
> hostile.

It may be preferable to blacklist for a while the identities found to be
hostile: running into their evil deeds over and over again may be too time
and bandwidth consuming. On the other hand, a newcomer must necessarily be
given the benefit of doubt, or else it won't ever get a chance of
increasing its reputation.

> Making identities somewhat expensive to create might be an interesting
> solution to this problem (eg: identity is public key + a
> public-key-bound proof of work), although I worry that attackers with a
> moderate amount of resources could still abuse the process. (a normal
> user isn't going to leave a small network of machines running 24/7 to
> generate new identities).

They could, but the attack would be slowed down. One could use some
Dworkian memory-bound POW in order to level the playing field.

> In the end, I think that the best solution is to default to
> "untrusted/semi-trusted" and manually add authorities as you discover
> them to be helpful/truthful. I find "word of mouth" to be much more
> effective than any automated system when making trust decisions. (eg:
> the recommendation of a knowledgable co-worker vs. Google's PageRank,
> Amazon reviews, or epinions)

Sure, I was thinking of automating the usage of the list, not its
construction: a user should always be able to import new identities
through a semi-manual procedure. Identities themselves could be propagated
peer-to-peer and endorsed with signatures by other already trusted
identities, WoT-style. But it would also be nice to have a user-friendly
UI that, after accessing a resource, asked: "Is the file I just fetched
you a good one?" and if the answer is "no", it should automatically
blacklist all the identities that had endorsed it, and maybe their
endorsers as well.

Enzo





More information about the P2p-hackers mailing list