[p2p-hackers] BitTorrent measurements / fully decentralizedsystems

Enzo Michelangeli em at em.no-ip.com
Wed Dec 15 12:50:55 UTC 2004

----- Original Message ----- 
From: "Adam Lydick" <list-p2phack at ruffledpenguin.org>
To: "Peer-to-peer development." <p2p-hackers at zgp.org>
Sent: Wednesday, December 15, 2004 7:15 PM

> However, only positive ratings tend to be useful, in such as system, as
> pseudoanonymous identities are "throwaway" by design. If I'm an evil
> attacker trying to raise the rating of my fake/hostile content, I'll
> just discard my current identity as soon as users identify it as
> hostile.

It may be preferable to blacklist for a while the identities found to be
hostile: running into their evil deeds over and over again may be too time
and bandwidth consuming. On the other hand, a newcomer must necessarily be
given the benefit of doubt, or else it won't ever get a chance of
increasing its reputation.

> Making identities somewhat expensive to create might be an interesting
> solution to this problem (eg: identity is public key + a
> public-key-bound proof of work), although I worry that attackers with a
> moderate amount of resources could still abuse the process. (a normal
> user isn't going to leave a small network of machines running 24/7 to
> generate new identities).

They could, but the attack would be slowed down. One could use some
Dworkian memory-bound POW in order to level the playing field.

> In the end, I think that the best solution is to default to
> "untrusted/semi-trusted" and manually add authorities as you discover
> them to be helpful/truthful. I find "word of mouth" to be much more
> effective than any automated system when making trust decisions. (eg:
> the recommendation of a knowledgable co-worker vs. Google's PageRank,
> Amazon reviews, or epinions)

Sure, I was thinking of automating the usage of the list, not its
construction: a user should always be able to import new identities
through a semi-manual procedure. Identities themselves could be propagated
peer-to-peer and endorsed with signatures by other already trusted
identities, WoT-style. But it would also be nice to have a user-friendly
UI that, after accessing a resource, asked: "Is the file I just fetched
you a good one?" and if the answer is "no", it should automatically
blacklist all the identities that had endorsed it, and maybe their
endorsers as well.


More information about the P2p-hackers mailing list