Try this link. Try 10-15 times click on and off. You can follow the browser console as well.
But it seems like a little bit dead today. Technically it does not matter since one can install the server for themself.
There are a couple of options here. The version of the one I was using a couple of days ago had some issues with “essentially simultaneous changesets by the same vandal user”, and as noted above missed some. Work is ongoing to address those issues.
I’ve since extracted their non-zero-change changesets from a local changeset database and downloaded that list. This may be incomplete for a couple of other reasons, but certainly gets us closer.
I see two ways to identify names affected by the current attacks: we can search the history for every removal of or change to name:ru, and in the longer term we could make it possible to search changes by deleted user accounts.
I had a try but the only “PoW” is that you have to click a “I’m not a robot” button, it is only rate limiting.
2 Likes
(apologies for offtopic diversion from the thread, but) you can search for changes by deleted accounts already. The “user_20380720” name format has the “userid” (which is preserved for the account across name changes and deletions) as the second part of the “deleted name”. An overpass query for “(uid:20380720)” will find the data. In that particular example, a revert is ongoing, so in a few days that query should not find anything.
2 Likes
I sense some terminology issues here; if I want to be pedant then it is neither captcha (since it does not actually tell humans and robots apart) nor rate limiting (since it requires proof of work and does not use server delays).
The system works like a rate limit offloaded to the users, and it tells “mass users and normal users apart”, regardless of their robotness. The point is, opposite to rate limits, not just delay spammers but require them to spend unacceptable amount of resources to login, while individual (non-mass) users are required only to spend a few seconds waiting.
Also it uses similar techniques as captchas like handing out tokens to be able to track individual rates and raise the bar if mass access is detected.
This will not stop bad intent humans manually editing since they will not be rapid enough to trigger raised amount of work (still, they will get a few seconds wait here and there), but it would stop (or at least seriously slow down) mass automated edits.
Granted: there are no magical methods stopping bad actors and the same time not hindering good ones. The general problem is that some people think that losing new users can be an acceptable collateral damage (and conveniently invisible to them), and - in my not so humble opinion - that would be a grave mistake.
Personally prefer the original proof of work terminology as used in crypto currencies.
A math problem is given and the users device has to do some calculation for 30 to 60 seconds to come up with an answer that can be verified very cheaply.
The point is that the actual thing that PoW protects should be a rare occurrence. How many times do you guys login to OSM? How many times do you create a new account?
It is Ok for that to be made expensive in order to avoid bots doing it massively.
The point is that it can and should be done completely automatic and behind the scenes for users. So when a user is typing a username/password, the work is being done. That way it is painless for actual legit usecases. Where a bot ends up spending a lot of resources and factually doesn’t actually go faster than a human would.
Or, in other words, the proof of work goes towards the computer and not the end-user doing the work.
3 Likes
We do not have the tools to combat a sophisticated, highly-motivated, potentially state-sponsored actor that wishes to harm OSM.
We have the tools to combat casual, garden-variety trolls, vandals, and other petty miscreants.
We amateurs sitting around the campfire here and tossing out good ideas is all well and good but all it does is show how (I’ll use the British form since that’s our standard) half-arsed our approach is to having a real cyber defense strategy.
OSMF has “Increase paid system administration staff” on their recently approved strategic plan. Hopefully they see fit to direct that towards the problem at hand…
4 Likes
Isn’t that the same thing I was talking about? 
It’s just the context and environment what’s specific, in the core it’s similar hashing (sha256 on salt+input+nonce, with a variable depth of difficulty).
Don’t forget that profesionals built the Titanic and amateurs the Ark.
(Also be kind of aware that the community has plenty of members with long history of various specialised professional work, including yours truly. Many could design systems mitigate the problems, even automagically handle it, except there should be someone actually coding and testing it, and that’s what usually blocks the stuff getting done. You seem to think OSMF is a mystical being, but on the contrary: the community has the mystical powers.)
It needs a few motivated people to actually get to coordinate the available scattered tools and try to prevent parallel work, and actually design what we would need, how would we like to have them and then they “only” have to be coded. I would, but I am kind of busy nowadays.
There is no evidence, OSM has been targeted by such.
Not so sure about that either: In my local area there is a person that got blocked for life. He creates several accounts a week, maps in a way that is not far from what got him blocked. There is nothing that can be done.
3 Likes
The topic theme has two meanings I can think of:
- Make signing up more expensive
- Limit what new users can do
3 Likes
Agree. Also I think we sometimes abuse the Assuming good faith to a ridiculous extent, even when the sockpuppets are obviously the same person.
Yet I really wouldn’t like this community to become that disappointingly hostile as wikipedia’s.
1 Like
You are confusing the choice to bear with a mostly harmless misguided person with “nothing that can be done”.
3 Likes
Sure, in another place I wrote, not every social problem needs a technical solution. I guess I will learn one day, that correctness of data is less important than amount of data and stop aching.
The corresponding tools are all after the fact:
- The block
- The revert
When I was new, I made some plunder. Hopefully I learned to behave since then. No idea how the learning might have been advanced though.
In the case you referenced it would be completely possible to take legal steps (as the person is known) that would lead to real consequences if they continued their behaviour.
Thank you, good to know this. I’ve found an alternative way that can show vandal’s changesets, not changed objects: filter by changes in name:ru in osmcha, and it displays user names with their changesets (not everyone is a vandal there of course), then you can filter by the user.
As to the vandalism, it continues:
- Asantera Leppo #20481051 — Joined | 1526 edits registered on OSMCha, about 15 hours ago Changeset: 142738597 | OpenStreetMap
- salvadore sziciero #20481052 — Joined | 468 edits registered on OSMCha, about 15 hours ago Changeset: 142738282 | OpenStreetMap
- user_20481052 #20481052 (the same ID as the one above) — Joined | 1526 edits registered on OSMCha, about 15 hours ago Changeset: 142738466 | OpenStreetMap
There were different ideas about new users above, however it still seems strange that a new user (I can’t find out when these were registered, but they have sequential IDs) can make hundreds of edits removing data within a short amount of time (a few hours). At first, the vandal removes the key from 1 feature/changeset, then 100 features, 250 features, then he self-destructs. What is possible to do here, except reverts? This creates lots of useless object versions, e.g. Way History: Одеський морський вокзал (37193675) | OpenStreetMap : versions 45, 43, 41, 39, 35, 33, 31, 29, 27, 25, 23, 21 are vandalism, and as many others are reverts.