Some mistakes have been made.

2 files changed, 69 insertions, 1 deletions

diff --git a/wiki/gossamer/index.md b/wiki/gossamer/index.md
index 2f64e7c..2f5055b 100644
--- a/wiki/gossamer/index.md
+++ b/wiki/gossamer/index.md
@@ -22,7 +22,10 @@ into the Gossamer network.
 
 Gossamer does not exist, but if it did, the following notes describe what it
 might look like, and the factors to consider when implementing Gossamer as
-software.
+software. I have made [mistakes](mistakes) while writing it; I have not
+rushed to build it specifically because Twitter, Gossamer's model, is so
+deeply woven into so many peoples' lives. A successor must make fewer
+mistakes, not merely different mistakes, and certainly not more mistakes.
 
 The following is loosely inspired by [Rumor
 Monger](http://www.mememotes.com/meme_motes/2005/02/rumor_monger.html), at
diff --git a/wiki/gossamer/mistakes.md b/wiki/gossamer/mistakes.md
new file mode 100644
index 0000000..bb006db
--- /dev/null
+++ b/wiki/gossamer/mistakes.md
@@ -0,0 +1,65 @@
+# Design Mistakes
+
+## Protected Feeds? Who Needs Those?
+
+Gossamer's design does not carry forward an important Twitter feature: the
+protected feed. In brief, protected feeds allow people to be choosy about who
+reads their status updates, without necessarily having to pick and choose who
+gets to read them on a message by message basis.
+
+This is an important privacy control for people who wish to engage with
+people they know without necessarily disclosing their whereabouts and
+activities to the world at large. In particular, it's important to vulnerable
+people because it allows them to create their own safe spaces.
+
+Protected feeds are not mere technology, either. Protected feeds carry with
+them social expectations: Twitter clients often either refuse to copy text
+from a protected feed, or present a warning when the user tries to copy text,
+which acts as a very cheap and, apparently, quite effective brake on the
+casual re-sharing that Twitter encourages for public feeds.
+
+## DDOS As A Service
+
+Gossamer's network protocol converges towards a total graph, where every node
+knows how to connect to every other node, and new information (new posts)
+rapidly push out to every single node.
+
+If you've ever been privy to the Twitter "firehose" feed, you'll understand
+why this is a drastic mistake. Even a moderately successful social network
+sees on the order of millions of messages a day. Delivering _all_ of this
+directly to _every_ node _all_ of the time would rapidly drown users in
+bandwidth charges and render their internet connections completely unusable.
+
+Gossamer's design also has no concept of "quiet" periods: every fifteen to
+thirty seconds, rain or shine, every node is supposed to wake up and exchange
+data with some other node, regardless of how long it's been since either node
+in the exchange has seen new data. This very effectively ensures that
+Gossamer will continue to flood nodes with traffic at all times; the only way
+to halt the flood is to shut off the Gossamer client.
+
+## Passive Nodes Matter
+
+It's impractical to run an inbound data service on a mobile device. Mobile
+devices are, by and large, not addressable or reachable by the internet at
+large.
+
+Mobile devices also provide a huge proportion of Twitter's content: the
+ability to rapidly post photos, location tags, and short text while away from
+desks, laptops, and formal internet connections is a huge boon for ad-hoc
+social organization. You can invite someone to the pub from your phone, from
+in front of the pub.
+
+(This interacts ... poorly with the DDOS point, above.)
+
+## Traffic Analysis
+
+When a user enters a new status update or sends a new private message, their
+Gossamer node immediately forwards it to at least one other node to inject it
+into the network. This makes unencrypted Gossamer relatively vulnerable to
+traffic analysis for correlating Gossamer identities with human beings.
+
+Someone at a network "pinch point" -- an ISP, or a coffee shop wifi router --
+can monitor Gossamer traffic entering and exiting nodes on their network and
+easily identify which nodes originated which messages, and thus which nodes
+have access to which identities. This seriously compromises the effectiveness
+of Gossamer's decentralized, self-certifying identities.