Yes, for example, the wiki makes you solve a CAPTCHA. It switched from reCaptcha to hCaptcha last year.
1 Like
In my defense - it’s just brainstorming throwing in any idea.
I’m myself a strong opponent of big IT - in fact I hate it.
I have a fake account on FB, I have a fake account on Google, my android are all degoogled, my computers are all pro versions or linux so I don’t need MS accounts or anything.
But - when it comes to throwing in thoughts about what can be improved I am a strong proponent of “brainstorming, throw in anything into the bowl - and then let’s discuss it and exchange opinions”
And I think ruling out something beforehand just because I personally hate big IT - is a bad idea maybe even worse than the fact that most likely indeed using big IT accounts is a bad idea. 
Just saying - but it’s a good thing we got this discussion ongoing - we really need that and then work out something the community can agree upon and make OSMF to implement it because that’s what the community decided.
and I’m all democratic here in this regard.
3 Likes
thank you - yeah I’m a brainstormer guy - so I figured let’s throw in some thoughts…
1 Like
This is only a half-joking comment, but we’re OSM, so a good captcha could be: here are some photos, and a draft map, create a map on our capcha.map.osm.org server using iD editor. You’ve got 30 minutes. Good luck! 
Apart from that there are some genuinely interesting alternatives to “proof of intelligence” tests, much more close to the general meaning of “proof of work”: mCaptcha requests time-consuming hashes to be computed; individual users lose a few seconds, but repeated bots may end up getting multiple days worth of tasks to compute. Idiots Bot operators may spend a few pounds on spamming but they probably will not waste a cryptomining rig to break OSM captcha to make easily revertable changes.
1 Like
@SomeoneElse, thank you for keeping on top of this! With this new attacker’s strategy, it’s harder to find his changesets. For example, for this object Way History: Одеський морський вокзал (37193675) | OpenStreetMap , version 35 was “Edited 10 days ago by deleted”, then it was reverted, later version 39 was “Edited 3 days ago by deleted”, and it wasn’t reverted yet. The website doesn’t provide a link for the “deleted” user; Go Map!! does show the last editor as “user_20380720”, but its profile page shows “The user user_20380720 does not exist”. So is it possible to see his changesets since likely all of them will need to be reverted? Thanks.
2 Likes
I had a look at the site and it looks pretty good but I could not find anywhere you can try the PoW challenge.
Try this link. Try 10-15 times click on and off. You can follow the browser console as well.
But it seems like a little bit dead today. Technically it does not matter since one can install the server for themself.
There are a couple of options here. The version of the one I was using a couple of days ago had some issues with “essentially simultaneous changesets by the same vandal user”, and as noted above missed some. Work is ongoing to address those issues.
I’ve since extracted their non-zero-change changesets from a local changeset database and downloaded that list. This may be incomplete for a couple of other reasons, but certainly gets us closer.
I see two ways to identify names affected by the current attacks: we can search the history for every removal of or change to name:ru, and in the longer term we could make it possible to search changes by deleted user accounts.
I had a try but the only “PoW” is that you have to click a “I’m not a robot” button, it is only rate limiting.
2 Likes
(apologies for offtopic diversion from the thread, but) you can search for changes by deleted accounts already. The “user_20380720” name format has the “userid” (which is preserved for the account across name changes and deletions) as the second part of the “deleted name”. An overpass query for “(uid:20380720)” will find the data. In that particular example, a revert is ongoing, so in a few days that query should not find anything.
2 Likes
I sense some terminology issues here; if I want to be pedant then it is neither captcha (since it does not actually tell humans and robots apart) nor rate limiting (since it requires proof of work and does not use server delays).
The system works like a rate limit offloaded to the users, and it tells “mass users and normal users apart”, regardless of their robotness. The point is, opposite to rate limits, not just delay spammers but require them to spend unacceptable amount of resources to login, while individual (non-mass) users are required only to spend a few seconds waiting.
Also it uses similar techniques as captchas like handing out tokens to be able to track individual rates and raise the bar if mass access is detected.
This will not stop bad intent humans manually editing since they will not be rapid enough to trigger raised amount of work (still, they will get a few seconds wait here and there), but it would stop (or at least seriously slow down) mass automated edits.
Granted: there are no magical methods stopping bad actors and the same time not hindering good ones. The general problem is that some people think that losing new users can be an acceptable collateral damage (and conveniently invisible to them), and - in my not so humble opinion - that would be a grave mistake.
Personally prefer the original proof of work terminology as used in crypto currencies.
A math problem is given and the users device has to do some calculation for 30 to 60 seconds to come up with an answer that can be verified very cheaply.
The point is that the actual thing that PoW protects should be a rare occurrence. How many times do you guys login to OSM? How many times do you create a new account?
It is Ok for that to be made expensive in order to avoid bots doing it massively.
The point is that it can and should be done completely automatic and behind the scenes for users. So when a user is typing a username/password, the work is being done. That way it is painless for actual legit usecases. Where a bot ends up spending a lot of resources and factually doesn’t actually go faster than a human would.
Or, in other words, the proof of work goes towards the computer and not the end-user doing the work.
3 Likes
We do not have the tools to combat a sophisticated, highly-motivated, potentially state-sponsored actor that wishes to harm OSM.
We have the tools to combat casual, garden-variety trolls, vandals, and other petty miscreants.
We amateurs sitting around the campfire here and tossing out good ideas is all well and good but all it does is show how (I’ll use the British form since that’s our standard) half-arsed our approach is to having a real cyber defense strategy.
OSMF has “Increase paid system administration staff” on their recently approved strategic plan. Hopefully they see fit to direct that towards the problem at hand…
4 Likes
Isn’t that the same thing I was talking about? 
It’s just the context and environment what’s specific, in the core it’s similar hashing (sha256 on salt+input+nonce, with a variable depth of difficulty).
Don’t forget that profesionals built the Titanic and amateurs the Ark.
(Also be kind of aware that the community has plenty of members with long history of various specialised professional work, including yours truly. Many could design systems mitigate the problems, even automagically handle it, except there should be someone actually coding and testing it, and that’s what usually blocks the stuff getting done. You seem to think OSMF is a mystical being, but on the contrary: the community has the mystical powers.)
It needs a few motivated people to actually get to coordinate the available scattered tools and try to prevent parallel work, and actually design what we would need, how would we like to have them and then they “only” have to be coded. I would, but I am kind of busy nowadays.
There is no evidence, OSM has been targeted by such.
Not so sure about that either: In my local area there is a person that got blocked for life. He creates several accounts a week, maps in a way that is not far from what got him blocked. There is nothing that can be done.
3 Likes
The topic theme has two meanings I can think of:
- Make signing up more expensive
- Limit what new users can do
3 Likes