No it doesn’t. There’s no attempt to limit the number of OSM accounts per single email account. As an example, I’ve just signed up again here with exactly the same gmail address that I use for normal OSM access but with a “+” modifier on it. I can do that again, and again, and again, and the process would be pretty simple to automate (in fact I’d be surprised if the very large numbers of accounts created by this nefarious user weren’t created automatically).
The idea that any one person could sit on 10s, 100s or even 1000s of dormant, valid, OSM accounts is frankly ridiculous. This shouldn’t be a discussion about “how many edits can new accounts make” before they have to stop, it should be “how do we stop one person accumulating 100s or 1000s of valid accounts” that they can then perform vandalism with.
There’s a board meeting tomorrow. I would very much expect this issue to pop up in “Any other business” or “Guest comments or questions”. You’re on the board - make something happen to prevent this sort of thing occurring again.
– Andy (writing in a personal capacity and without consulting any DWG colleagues).
I think that thinking is perfectly in line with the idea that a fresh account is nearly useless for vandalism purposes, as this thread suggests.
Naturally, to limit new accounts being created on the same email does look like a sane thing to do too. But certainly orthogonal to the value proposition of limiting accounts.
these email aliases are treated as separate email accounts, similarly someone with catchall redirect and own domain can register multitude of accounts using single real mail.
And fundamentally we cannot really restrict to single OSM account per single real mail account. At least not without allowing signups only from some limited pool of email providers and banning all unknown ones - which has own issues.
Maybe there should be a special custom logic to defang that Gmail + aliases, given Gmail popularity
is this feature being used by vandals? is there already open issue for that on OSM website repository?
Main problem here is that typical solutions (require verification using SMS code, require payment, pile annoying CAPTCHa, manual account activation, heavily restrict signup eligibility, require government issued id card, require Google/Microsoft/Steam/FB/etc account, require vouching by existing user, verification using credit card but without charging user etc) have own problems that are very likely even worse.
Though more general problem, “osm website development could be going better” to phrase it diplomatically is something that board is trying to solve/improve/help/not make worse. Sadly without big successes at least for now.
I will be trying to do something, but right now I have no obvious idea what can be done and is not already being attempted (at least for collecting unreasonable number of user accounts).
Limiting how much single user account can do can be more tractable, but still will not help much if someone can create thousands of user accounts.
(writing in a personal capacity and without consulting with anyone, that is not an official announcement).
That’s only possible because we let them. There is absolutely no technical reason that says that it has to be the case.
I’m not suggesting that. I am suggesting that someone should not be able to sign up for thousands of dormant accounts. As I said above, I’m sure that any restrictions can be brought in at a high enough level to not inconvenience any normal users.
Most of that list is simply FUD - we’re not talking about implementing a full KYC system here; just putting enough in place to ensure that one individual cannot create potentially thousands of dormant accounts to use later for nefarious purposes.
Yes.
No. A public issue tracker doesn’t seem the ideal place to discuss how people might exploit OSM’s sign-up process.
If I was on OSMF’s board, I’d have two items at the top of my list following this incident:
Talk to the admins to understand exactly what happened here, and understanding what needs to be done to prevent it from happening again. For example - over what period of time were the (now deleted) dormant accounts created? How might we recognise that happening in future?
Saying a heartfelt “thank you” to everyone who helped tidy up the mess. Mostly these weren’t people on working groups or admins but ordinary OSM mappers who detected issues as they arose and made sure that the problem changes were reverted.
Exactly, all these discussions in the open of how to fix/prevent will wise these guys up too, in fact I think a recent thread could have been a fishing expedition to find out how to by a ‘concerned citizen’.
Absolutely wonderful discussion here, everybody. I still don’t know how I feel about all this (limiting initial user contributions, with a “ramp up” to “full” over time seems on the “more wise” side), as we are talking about making fundamental changes to the “openness” of OSM. A major cultural shift, in other words.
And in the spirit of “constructive criticism,” I’ll offer a minor correction / clarification to the initial post: all users do not (quite) have the ability of “every account can do anything and everything.” Not quite, as the DWG’s (most powerful) tools of blocking and banning (effectively shutting down an account) are not available to everyone (and that’s a good thing). The difficulty is in managing the vandalism, even knowing there is a fair amount of “user-level users” (without DWG privileges) who are doing some, maybe even much (I don’t think quite “most”) of the cleanup of “bad edits.” Some of these are vandalism, some are more simply, more innocently “ignorance” or “laziness” (like not reading wiki when needed). Still, “it takes a village” (to be stewards of good map data) and this is a gigantic effort: our “garden of global data” has weeds and even pests, but we pluck out the nasty and sometimes give a lethal zap to those who are so pesky they deserve to be shown the exit door.
As I hear (loud and clear) DWG members (like @SomeoneElse) asking for “any takers?” in his requests for additional assistance to “keep the garden weeded,” is there something we could do to better formalize these sorts of tasks? A kind of “Deputy DWG” role (without block or ban powers, but who merely are offered a basket of potential cleanup tasks)? The vetting of volunteers / contributors who would become members of this “squadron” should likely reside with DWG itself, but then there is the cost of organizing the “baskets.” That could be a “win-win,” that could be a “break even,” I’m not sure.
I add that a DWG member with a small squadron (or three, or more) of “helpers” (whom don’t have block or ban power, but are given specific tasks to unravel back to sanity) communicating via a more-secure (one-to-one) channel, like encrypted email, goes a distance to thwart this. We won’t put this on an issue tracker.
“Wise guys” (the bad guys) watch. There is much to like about being security aware like this. Squashing these like the bugs they are one-by-one with a stealthy approach where bad guys can only guess what we (the good, the mighty, OSM) might next do is correct. Or at least part of correct.
Wisdom ahead, everyone. There are approaches to doing this, doing this well, and doing this well into the future. We are on our way there now.
Sure, but the original discussion on limits like that related to 25 changes per changeset & 250 changes per day, so 5 of your example buildings = 25 changes = 1 CS = 1/10th of their initial allowance.
How many brand new mappers set out to map a forest on their first day?
& how many “normal mappers”, especially newbies, will ever need to create multiple accounts? Sure, a few DWG members have separate revert accounts, other people have Import accounts. How many multiples are there throughout OSM? Maybe 100 out of 10000000 users?
See, what happens with “squadrons” helping out DWG is that (at least at first), you can “tune” these teams so they ask the DWG member (frequently, at first) whether an edge is being probed. As these emerge, the squads “know what to do.”
This is an effective technique. Only the “questionable, now” bubbles up to the DWG member at the leadership of the squadron. At some point, it might make sense to appoint a “squad leader” (major or colonel or so, if I were to get military with the hierarchy). The captains who fly “know what to do.”
Go with this. If / as you are overwhelmed as a DWG “general,” it can only help. It seems about right.
Postscript: I’m a conscientious objector to war, but I do understand military hierarchy as being effective against “enemy combatants,” which is what vandals are. Act accordingly.
there is a simple filter in OSMCha for this. It’s fairly easy for anybody willing to set a bbox around their desired area and set the filter to the “review rquested” flag
There is a tool for this by Pascal too, the “Find Suspicious OpenStreetMap Changesets”-Tool.
However, as you can see, it was not made specifically for review requested changesets, but rather needs some filters to be set first. So a dedicated tool for review requested changesets would still be great.
I myself sometimes review these changesets (in Germany) if I have time and feel like it. However, it is very time consuming to really review these changesets in detail. And sometimes it is actually horrifying to see what changes new users try to make (unintentionally of course) that would stay in the live database probably for a long time if I hadn’t checked some of the changesets.
There is a ton of great knowledge out there on how to help your community to become happier and more productive.
Giving positive feedback is a simple way to create a more happy mapper. This also has the effect, and we know this from the many other places that implement social structures, that those mappers “grow up” to become people that feel more secure about their knowledge and are willing to pass on that knowledge.
So, yeah, reviewing new people’s changesets is really something that I feel we have been lacking in. Especially in the case of people asking for a review and never even getting any reply.
The never getting any reply stems from the social problem of not feeling empowered. If someone sees a changeset that asks for a review, they can find fault and comment, but how many will be commenting that the changeset is good? Fearing that someone else might find fault later is a fear of being exposed as an imposer. Fake it till you make it is real in this community.
I feel these problems have grown so long that they won’t be possible to change unless we force people to acknowledge that they need to become a team. Force new people to ask, and force experienced people to answer.
And, yeah, this topic is indeed only partially related to the recent vandalism. It is related because those would not have happened if this social system was in place. But this is not meant as a solution to the vandalism, it is meant as a re-thinking of what it means to be part of openstreetmap.
I think the social structures are needed, the idea to not just work in isolation and without support (unless you really mess up). And I hope others agree that this is the case.
As I understand (based on info from Ticket#2023072610000127 ) admins and DWG are already in contact and there are possibilities to block this specific exploit.
But only that specific ones, solving this problem in general is far trickier. But it may help already and make vandalising harder.
I definitely want to thank everyone helping with cleanup after this troll! And other vandals.
Though not promising blog post or similar specifically about this, getting largest possible reaction of any kind may be what they are trying to get.
(again, not an official OSMF statement, commenting in a personal capacity)
I find it to be both friendly, “good OSM ambassadorship” and quite positive going forward to (occasionally, yet when deserved) offer “hello, I see your recent editing, and it is really nice!” accolades to especially newer OSM contributors. It’s a small gesture, yes, but just as my mother taught me, “treat people as you yourself would like to be treated.”
Many of these people and I go on to Friend each other, keep tabs on each others edits, inspire each other, turn into learning opportunities to become better, more-skilled or more-knowledgeable mappers. And that’s a good thing. I realize not everybody will do this, I merely want to share how I do, and its results are overwhelmingly positive. Rather than “forcing” people to be a team, I find that by simply acting like one, by offering praise where it is well-deserved, goes a long way towards empowerment, and reducing the social isolation many can feel in our project. We are a “somewhat” social project (true, some people map in relative isolation, and like that very much), so “lubricating” the social gears usually does nothing but help.
I realize this might seem off-topic, or “the other side of the coin,” but, while it is certainly important to limit damage (whether intentional or not) to our map, it really does improve our social structure when there is a spirit of “hey, I noticed your mapping and you are certainly on the right track to becoming another great mapper in OSM.” As I say that (again, especially to newbies), I offer the ability to contact me with any questions, and the fabric of our project (both our data AND our community) knits together a bit more strongly.
Unfortunately using different emails is much easier than you think. Take a Gmail address and simply put dots wherever you want and you have a new email without creating another account.
