Praise of the Data Working Group

drolbr · June 23, 2024, 7:37am

The board would like to thank the DWG for its excellent work in the recent vandalism event between 13th June and 18th June.

Disruptions in the dataset have been limited to few hours in the first round and often even less than an hour in later attacks. In detail:

On the evening of the 12th June, the vandals have registered at least 24 accounts over an extended window of time, seemingly manually. The vandal accounts have in two waves from 2024-06-13T04:20:24Z to 2024-06-13T05:22:42Z uploaded 17763 object versions. This has grown further to 18969 object versions until 2024-06-13T05:31:43Z, and during that ten minutes there has been the first but small pushback to the vandals: the vandalized name tags from two relations have been rectified by one otherwise uninvolved mapper, but other damage even to those two relations has not been reverted.

From 2024-06-13T05:32:03Z on, a DWG member and one other uninvolved mapper have attempted to remove vandalism with the usual changeset revert tools, but have reverted objects rather to other vandalized versions. Until 2024-06-13T05:59:28Z the vandals have uploaded only 810 further object versions to a total of 19779 object versions, and that only from 3 remaining user accounts. This has conincidentally partly overwritten wrongly or correctly reverted objects, but also not yet reverted objects. No pattern for a strategy has been found there. In the hours after this, a total of 15 otherwise uninvolved users attempted to revert changesets and have frequently reverted to vandal versions. The total clean-up has taken place until 2024-06-13T09:13:55Z.

The vandalism itself has taken place over 1 hours and 39 minutes. It has taken a further 3 hours and 14 minutes to prevent people from reverting and to clean out the database.

The further rounds of attack have been mitigated even faster by the DWG and with lesser interruption by well-meaning but haphazard mappers.

Our sysadmins have since then implemented a bounding box limit for new accounts. The relevant bodies are currently discussing further measures to reduce potential vandalism vectors. If you want keep up to date what becomes tangible, you are invited to follow the issue tracker. Every measure will become visible there.

sakudo · June 23, 2024, 8:52am

Thanks indeed!

Is there any insight about the origin of this vandalism (like common origin IP addresses, other common pattern etc.)? It seems that it is somehow a coordinated campaign, and it would be inteteresting to the world (albeit our small OSM world) to know about it.

SekeRob · June 23, 2024, 8:57am

Thinking of a song by the late Leonard Cohen.

SomeoneElse · June 23, 2024, 11:21am

Yes. I wrote a bit about the suspected origin of this specific issue back at the top of one of the other threads; it wouldn’t be fair (on anyone involved) to say more here.

Answering the more general point - yes, lots of people (not just people in the DWG) look at “common patterns” in suspicious map edits. Have a chat with one of the “golf problem fixers” if you want chapter and verse about that.

C’mon - it’s 2024 - do we still believe that IP addresses somehow uniquely identify a particular individual?

Let’s imagine that I’m doing Bad Things right now, and The Powers That Be want to “block my IP address”. They’d have to:

prevent access from all customers of one of the largest residential ISPs in my country
prevent access from all customers of one of the largest mobile ISPs in my country
prevent access from any VPN termination address that I might have access to.

Richard · June 23, 2024, 12:26pm

Yeah… you could say that.

Matija_Nalis · June 23, 2024, 8:38pm

No, and just blocking IPs is sooo last-decade, but the IP does provide some useful signal IMHO. E.g. if you have 50 identified vandal changesets coming from some IP address in first 10 minutes, and in next 10 minutes you have 50 suspicious changesets coming from that same IP, then guess what? it is very likely you should consider those for revert too.

Of course vandals can use different VPN endpoint for each subsequent changeset (just as they can /and I guess do/ use different user), but it puts another hurdle in their workflow and hopefully makes it more likely to frustrate and deter some of them. Which is the idea - just make it too much work for too little effect, and most might give up on vandalism.

TL;DR: no, IP address does not uniquely identify a particular individual. Neither does an OSM username. But both may provide some useful signal.

grin · June 24, 2024, 1:46pm

Is there any official advice how we, The Haphazard Mappers™ (aka. the Community™) should act on various amounts and depths of observed vandalism? I don’t think “call the DWG” is a good idea on every kind of small-scale vandalism, and it may not be obvious when something’s beyond small scale. (Maybe it is for me, but I don’t remember it to be spelled out.)

Or does Haphazard™ cover only those of us who revert to a wrong (still w@nkerised) version?

Hungerburg · June 24, 2024, 11:10pm

In lots of cases an IP address can identify a specific customer of an ISP. Likely in need of a judge to give the order to divulge that. True for of most contributors to OSM, so GPPR rightly considering such PII.

In case of vandals having half of a brain, that will not be of much use, when they use a mixer/vpn.

Matija_Nalis · June 25, 2024, 12:25am

In lots of cases an IP address can identify a specific customer of an ISP. Likely in need of a judge to give the order to divulge that.

But endpoint IP address is automatically divulged to the OSM API server by the nature of TCP/IP protocol. You don’t need any judge for that…

Judge could give an order to ISP to associate that specific IP address (at specific time) to specific customer, if you meant that.
But I do not see vast majority of the OSM vandalism cases ever reaching any judge…

Still, IP address is considered PII per GDPR, yes. Which confirms initial claim – it is consider “Personally identifiable information”, because it could be used to help identify (the vandals in this case).
(IOW, if it didn’t help narrow a range of possible actors, it wouldn’t be considered PII).

In case of vandals having half of a brain, that will not be of much use, when they use a mixer/vpn.

To be truthfull, if vandals had half a brain, they wouldn’t be vandalizing (any public property / commons such as OSM etc).
So by the very definition something is wrong with their brains.

Also, there are different grades of IT-vandals, and not every one of them is following top OPSEC recommendations all the time. It’s just so tiresome to do so, and one can easily skip most of them in majority of cases and have much more convenience, so why bother…

If the point is “we’ll never be able to catch 100% of them”, well, yeah. There ain’t no such thing as perfect security, you can ever only try to fix most of the lowest-hanging-fruits with available resources.

But if it helps eliminate 30% of the script kiddies, hey, that is 30% less work and more free resources to dedicate to those harder nuts…

SomeoneElse · June 25, 2024, 12:44am

Sigh. Please everybody read this post above again and slap yourself around the face with a herring until enlightenment occurs.

I can think of exactly one recent-ish DWG ticket of mine (from just over a year ago) where IP information told us specific useful information that we did not already know. In the vast majority of cases we already have a pretty good idea of who the miscreant is (e.g. “someone at XYZ school”). Some problem mappers (who I obviously won’t link to) are quite open about who they are and we have full name and address details provided by them. Also, the idea that ideal Western European standards of judiciary and policing apply around the world is unfortunately not the case.

SimonPoole · June 25, 2024, 5:40am

Actually it was considered PII at least two years before the GDPR went in to force, wit https://curia.europa.eu/juris/document/document.jsf?text=&docid=184668&pageIndex=0&doclang=de&mode=lst&dir=&occ=first&part=1&cid=1066086

SimonPoole · June 25, 2024, 5:46am

Just to ensure nobody jumps to conclusions, something that the GDPR did make clear (and given that the UK still has GDPR derived legislation this applies there too), is that it applies to all data processed by companies domiciled in the EU/UK. As a result even if you are processing data of a resident of a non-EU data protection back water, the GDPR still applies.

SomeoneElse · June 25, 2024, 8:49am

For the avoidance of doubt - I was not making any comment on what GDPR or its precursors in the UK apply to, or what may or may not be considered PII. That isn’t relevant for this thread, and I’m familiar enough with the UK version of the legislation and the advice around it to know what it would and would not be OK to do.

ZeLonewolf · June 25, 2024, 2:51pm

I wish this were true, because I’d rather be protecting OSM against dumb vandals than smart ones.

That breaks down in cases where the actor performing the attack has a real-world motivation for harming OSM and thus may be technically sophisticated. There are many strong reasons why someone, some organization, or some government might rather OSM crash and burn than the map look the “wrong” way. I hope that “relying on the bad guy being dumb” is not our defense strategy.

dieterdreist · June 25, 2024, 5:45pm

I wish this were true, because I’d rather be protecting OSM against dumb vandals than smart ones.

note that something wrong with their brains does not necessarily mean they are dumb, they could be very smart and still have problems

Friendly_Ghost · June 26, 2024, 9:41am

It was probably a figure of speech, no need to get into the semantics here.