It’s… not as bad as you may claim. I sometimes investigate certain nodes myself even by non-anonymous users especially if it’s a couple months old where things could have changed quite quickly, not to mention that non-anonymous users, especially StreetComplete users, don’t leave enough details which also require some manual investigations (trust me, I made that mistake once), not to mention they also help to map things sooner than later.
On top of that, as Mateusz mentioned, reminders that buildings and many other things which can be and are mapped by areal images but haven’t been already don’t require surveys (at worst, it’s a demolished house but that can easily be marked as such).
By the way, you can use bbox parameter when searching for notes with the api.
in some cases vandal made so many notes that it was timing out (and if I run script anyway, I can detect very silly notes worldwide)
For information, there is further name removal vandalism taking place.
What is happening in each case is that a “new” account is being created, several thousands of changesets submitted each with one change in them like this, and then the account deleted.
How about adding phone number verification? Most countries require identification to register phone number. It could scare off vandals
We drifted a few times astray from the core issue:“New users shouldn’t, at least in theory, have the possibility to waste time of legit mappers.”
The reality is - everyone who wants to waste time and thus life of legit mappers can do so with the current policies in place by the OSMF and OSM community.|
Options have been suggested: IP limitations, but what about schools or clubs where a whole class likes to join?|
Limitations by phone number, but what if someone doesn’t have a phone or doesn’t want to use it for online registration?
Restriction by you need to login per your valid Google account, Facebook account? Yes everyone can make fake accounts.
But any of these measurements for sure makes it a bit more daunting obviously, no need to deny that.
So how about to offer a few options: you can use for verification your FB account, Google Account or phone number.
Then a legit new user has a few options, with still it’s going to take illicit mappers and vandals significantly more time to sign up.
And then there’s the concept of account limitations. Even on this forum we have this, signing up here as new user you see this, I quote:
Thanks for joining OpenStreetMap Community, and welcome!
- I’m only a robot, but our friendly staff are also here to help if you need to reach a person.
- For safety reasons, we temporarily limit what new users can do. You’ll gain new abilities (and badges) as we get to know you.
- We believe in civilized community behavior at all times.
If you’d like to learn more, select 
below and 
bookmark this personal message. If you do, there may be a 
in your future!
I see no reason honestly why we can’t do both? And have people to verify their accounts through either their phone, FB or Google accounts AND at the same time limit edit capabilities.
Unlocking what one can do - by completing tutorials succesfully on the devs server.
You must complete a tutorial on waterways before you can do that
You must complete a tutorial on buildings before you can touch that
you must complete a tutorial on indoor mapping before touching that
You must complete a tutorial on administrative boundaries before you can edit them
Also have a small examination to each topic, where new users must read on a wiki article and then questions will be asked, alongside the tutorial.
I’m sure who’s legit in mapping and wants to pursue this - this isn’t too much to ask and the serious mappers will agree it’s better to have 100 good edits instead of a 1000 edits which accounts for 0 because it needs to be reverted.
And I’m sure others can come up with other good ideas on changing the signup/mapping process of users.
6 Likes
Could not remember the procedure when first signing up in 2014 so did a dummy (which I will not confirm to see if that breaks to sign up cycle) and learned that but for a click on a reply mail there’s no checks. Would have expected to at least see a reCaptcha like challenge to stop bot automation but non of that. 
Please don’t centralize the Internet even more, OSM becoming dependent on those big ones is a BAD idea.
I like this idea.
Biggest issue is translations, and naturally people creating those tutorials. But the scaling to all languages is an issue I expect.
For me, I’m still fully convinced that the best way to solve a people problem is to use people, not technology. A new account can only make small changes and only when a mapper that has “karma” (magic internet points) enough then goes and approves those changes the new mapper makes, they become a fully allowed mapper.
This happens in practically all places around the Internet. From github to this forums and everything in between. It is really OSM that is the odd one out. And that is because it didn’t need it yet. Well, I think it does now.
The tutorials idea is a great one, though. We could seriously use those in some step towards growing the access of a new account.
5 Likes
reCaptcha itself is a Google service, and I suspect that some people would be opposed to that just for that reason. There are also potential issues with GDPR that would need to be addressed. There are alternatives, often based on “proof of work” rather than “proof that you are a human”, but I’m not convinced that that approach would help here. If you know of an option that (a) could be made GDPR compliant (e.g. by self-hosting), (b) would actually work to force actual humans to fill in an actual form and (c) isn’t ethically problematic for some other reason, I’m sure that people would be interested.
5 Likes
I appreciate all the concerns you’re bringing up there. I’ve been seeing hCaptcha more and more on services with similar concerns, but I haven’t personally vetted it. They claim they exceed GDPR requirements, though I can’t vouch for that.
3 Likes
How many accounts are in this wave of vandalism? Am I right in understanding that the problem the vandal is exploiting right now is the lack of limits on the number of changesets a user can make? (he’s not making big edits yet?)
Far fewer than the “several thousand” previously.
They are still making a very large number of edits as a “new” user in a very short period of time and then deleting their account when blocked.
Yes, for example, the wiki makes you solve a CAPTCHA. It switched from reCaptcha to hCaptcha last year.
1 Like
In my defense - it’s just brainstorming throwing in any idea.
I’m myself a strong opponent of big IT - in fact I hate it.
I have a fake account on FB, I have a fake account on Google, my android are all degoogled, my computers are all pro versions or linux so I don’t need MS accounts or anything.
But - when it comes to throwing in thoughts about what can be improved I am a strong proponent of “brainstorming, throw in anything into the bowl - and then let’s discuss it and exchange opinions”
And I think ruling out something beforehand just because I personally hate big IT - is a bad idea maybe even worse than the fact that most likely indeed using big IT accounts is a bad idea. 
Just saying - but it’s a good thing we got this discussion ongoing - we really need that and then work out something the community can agree upon and make OSMF to implement it because that’s what the community decided.
and I’m all democratic here in this regard.
3 Likes
thank you - yeah I’m a brainstormer guy - so I figured let’s throw in some thoughts…
1 Like
This is only a half-joking comment, but we’re OSM, so a good captcha could be: here are some photos, and a draft map, create a map on our capcha.map.osm.org server using iD editor. You’ve got 30 minutes. Good luck! 
Apart from that there are some genuinely interesting alternatives to “proof of intelligence” tests, much more close to the general meaning of “proof of work”: mCaptcha requests time-consuming hashes to be computed; individual users lose a few seconds, but repeated bots may end up getting multiple days worth of tasks to compute. Idiots Bot operators may spend a few pounds on spamming but they probably will not waste a cryptomining rig to break OSM captcha to make easily revertable changes.
1 Like
@SomeoneElse, thank you for keeping on top of this! With this new attacker’s strategy, it’s harder to find his changesets. For example, for this object Way History: Одеський морський вокзал (37193675) | OpenStreetMap , version 35 was “Edited 10 days ago by deleted”, then it was reverted, later version 39 was “Edited 3 days ago by deleted”, and it wasn’t reverted yet. The website doesn’t provide a link for the “deleted” user; Go Map!! does show the last editor as “user_20380720”, but its profile page shows “The user user_20380720 does not exist”. So is it possible to see his changesets since likely all of them will need to be reverted? Thanks.
2 Likes
I had a look at the site and it looks pretty good but I could not find anywhere you can try the PoW challenge.