I have read it and I see you believe that your proposed “solution” would resolve your mentioned problem.
If you carefully read what I wrote you may realise that I believe this whole thread has no merit since your solution will not resolve your mentioned problem. Also I wanted to point out that your “solution” was only narrowly examined and have not considered the wider context and consequences.
Also it usually does not matter who wrote something; I am debating the message, not the messenger.
Limiting accounts rights on our database is a common approach industry wide. You’re honestly the first one that I hear say it doesn’t go towards solving the problem. I’d love to know why you think so.
Here is my rationale:
A new account would be useless to do any real damage if sufficiently limited. Nothing a local maintainer could not fix in short order.
Creating many new accounts is equally useless, it multiplies a blunt instrument leaving you with an equally blunt instrument. You’d need 100000 accounts to do what the attacker has been doing.
It is rather simple: about 30 years of experience.
(My most notorious example is Waze: new users can do nothing (including edits), and losing new user status requires a large amount of edits. It is a rather funny IRL catch-22. But there are numerous projects limiting new users to the extent that they have killed themselves due to the lack of fresh energy, while the old people lose (have lost) their motivation in the long run. Also the mood of the community erodes, become unwelcoming, and inflexible. But you don’t have to believe me at all, I am just shaing my memoirs.)
You may remember my question about specifics. Either new accounts are limited to the complete uselessness or they can do editing. If they can your suggestion will not stop bots creating whatever amount of new accounts and do whatever actions they want. Bots can create accounts by hundreds a minute, if you have not seen that it’s not because they cannot, it’s just because they haven’t tried. Other [more spam-popular] projects see that already, and they are trying more tailored approaches, usually concentrating the specific problems instead of “general solutions” (which doesn’t work well).
That is a very valid concern. Which is why it bears repeating that we should keep above natural limits. This has been echo’d by various people in this thread. I also wrote just a couple of hours ago:
I think its a bit more nuanced. Look at the actual vandalism changesets. They have a LOT of changes, all over the world. Nothing that any natural person would make, nothing that a mapper that is only actually mapping for a couple of days (as per their account age) would make.
So were are not talking about black and whites. Instead we are talking about a normal beginning user making 100 edits in a changeset and these guys making changesets (like 140428044) that have 4000 changes over a huge area 6000km horizontal. This is not black/white, its mostly gray with a bit of black and white on the outer edges.
The limiting of a fresh user to the extend that they never actually notice will still have a huge limiting effect on spammers.
So, again, this is a valid concern. Thank you for prodding me to share my view on it.
I think the problem of limiting people to a painful amount is easy to avoid without losing the benefit that limits give. One way has been suggested in the OP (original post) with levels, and the intention clarified with the 10KM overview in my reply 157. The intention is something to agree on and maintainers can adjust limits to better suit what people actually use.
A lot of the recent criticisms here seem to come in without the context that this thread started before the most severe parts of the recent vandalism wave, but understandably discussions merged. The arguments also seem to boil down to “that’s not a perfect approach, therefore don’t do it” rather than recognizing that defenses against abuse are always necessarily layered (see defense in depth). The existence of windows on my house does not make my doors unworthy of locks. They just need nuanced controls, which is what OP is asking for and what Mateusz is saying the operations team is working on. If anything, this thread has proven that the community is full of ideas of potential approaches that could be taken. Even if none of them is perfect, some blend of them will probably help.
This item in particular stuck out to me. Surely, if the smarter solution is to do many smaller edits, the vandals would already be doing that rather than making mass edits? To keep going with my locks analogy, it’s like saying that the best way to detect that someone has broken into my house is if my furniture is all gone. I’d personally prefer they do less damage in one go. We should lock out (and maybe have?) the largescale edits and invest in our QA tools in response, and we should have community dialog about what controls are appropriate.
In the end, it would not matter much, how many accounts were used to take the furniture out when you return home, a single one, a dozen? If I understand correctly, accounts have been made more expensive to mitigate that.
It does. But now you must pay for lock mounting and tenants from now on must always carry a key in a pocket, while thieves still can freely enter your house through window. You could invent difficulties to fair users while not preventing evil users from do damage.
Users should earn reputation. Protected objects should be edited by users with proven reputation only. Important objects should be protected, especially objects with names rendered in tile maps on a large scales.
World is not “black or white”. Locking doors is still very important. While everybody can walk through doors, only few will be physically able to enter through a window. So doors are improving security of your house greatly. Mild inconvenience of carrying the keys reduces the number of people that can stole something from 100% to maybe 5%. Isn’t it worth it?
The same goes with cybersecurity. While we are unable to prevent all attacks or acts of vandalism we can make it as difficult as possible, so only few people can vandalise. It does improve the security of our data.
So in the Netherlands there is someone who has been opening dozens of anonymous notes filled with long angry tirades, insults and even threats because we aren’t removing the private footways in their neighbourhood. They have been doing this for well over a week by now, and are no showing a sign of stopping. no matter how much people try to explain or reason with them.
See: Note: 3902872 | OpenStreetMap
This is possible because anonymous people are able to continuously spam notes. A limit on anonymous notes would help, or maybe even disabling them alltogether. Though of course the latter is a tad extreme, and I don’t know how possible the first is. So I’d like to hear what others think about this idea.
A select few of the notes in question (all google translated to English from Dutch)
note comments by anonymous were disabled already due to a dedicated troll spamming single letter comments on repeat (mostly in Eastern Europe/Western Asia)
Personally, I’m not convinced that anonymous notes (any anonymous notes, not just angry tirades or spam) are a net benefit to the project. At best even well-meaning ones can only be a “prompt for a local mapper to survey”, since we can’t take an anonymous contribution on trust.