A mapper was able to rename their account to an identical username used by DWG for repairs, allowing them to revert dozens of changesets and remove the Russian language from OSM with a concerning message.
I’m not sure how this was possible, but it raises questions about account security. Is there a way to prevent this from happening again?
I must admit, I was taken aback to think that such changesets could have been initiated by someone affiliated with DWG.
I am equally shocked that the user only received a 24-hour block for their actions. This behavior should not be tolerated, and in my opinion, a user ban and automatic reversion of all changesets would have been more appropriate.
Given the scale of these changesets across the world, I anticipate there will be many comments and discussions about this today which could have been avoided.
Homograph attacks are a common problem in multilingual platforms that allow users to choose any arbitrary sequence of Unicode characters as a user name. The website developers have concluded that any solution to the problem, such as disallowing user names that are “confusable” with an existing user name, would impose too many restrictions on legitimate accounts:
@SomeoneElse, is this block the final word, or will the user be forcibly renamed if they don’t do it themselves?
Understood. Then let’s prioritize “Impersonation” as a top offense that results in an automatic ban. Without appropriate consequences, some mappers might be tempted to use this technique again.
I’d be totally shocked if this user here could just take back their previous username like nothing happened.
We’ll deal with the damage but it might take a bit longer to repair things than to break them. And yes, the discussions about this could have been avoided if everyone on the planet was nice and friendly but sadly that is not within our powers
The account was blocked for a short time while we investigate but it is unlikely we will simply let them continue making these types of edits, so no need for you to be shocked.
As Minh has pointed out, Unicode is your oyster if you want to create lookalike usernames and it is extremely difficult to prevent that automatically. Even without Unicode tricks people have created lookalike usernames by replacing, say, a lower-case L with an upper-case I etc…
Just to clarify things:
Homographic (lookalike) attacks depend not only on the character represented by its unicode numeric value, but also on the glyphs (optical appearance) of the used font.
E.g. a upper case “I” and lower case “l” my look equal in sansserif fonts but different in serif fonts.
Therefore preempive measures are more laborious than it looks like at first glance.
I would like tools like OSMCha to explicitly highlight DWG members. There is a non-obvious filtering mechanism, but I think many people want to see edits with DWG rollbacks. It is worth contacting the developers of these tools. upd: Highlight DWG member accounts · Issue #675 · mapbox/osmcha-frontend · GitHub
But for this, DWG participants must have a tag on their account. @woodpeck Why is your OSM account not labeled as a moderator? Like mavl | OpenStreetMap
My account on this site is a member of osmf-data-wg here but that isn’t shown in the “account flair” here because I turned it off; most of the time here I’m not wearing a DWG hat and I’m not representing the DWG when I say anything, except when I say:
– Andy (from the DWG)
Edit: added “, except when I say:” to try and make the last bullet point clearer.
My account on this site is a member of osmf-data-wg here but that isn’t shown in the “account flair” here because I turned it off; most of the time here I’m not wearing a DWG hat and I’m not representing the DWG when I say anything.
it would be nice to have this shown on a per post or per category basis, I also wouldn’t want to walk here around with an italy mod sign on my head, but I want to be recognizable (fellow members want it) as a mod in the italian category, and turned it back on for this reason. Maybe it could be shown automatically if you mark the post as “acting in the conferred role”.
That’s a good idea, but the challenge is where do you want that conversion to appear. The character “р” is a valid character in a Cyrillic name. Maybe anything on the site that is actually a URL, but not those places where it is literally just a display name?
I believe that rendering this in URLs would be sufficient. It would still be easy to distinguish fake accounts while leaving people’s display names unchanged. Additionally, this approach would not disrupt any other third-party tools since the display_name returned from the API would remain unaffected. It would only impact the URLs.
In this case, the only thing that an ordinary participant can rely on is the date the account was created and the activity of the account.
If the user doesn’t know which accounts the DWG uses, then their punicode won’t help them in any way: they don’t know the moderators real nicknames. (They’re not even here Data Working Group - OpenStreetMap Foundation)
I agree with this. The moderator flair is intended to distinguish moderators, yet moderators are using accounts that do not have this branding, which leads to confusion.
Like