We have a pretty good idea of the motivation of this one. It’s basically a temper tantrum by someone with a modicum of technical skills, after their application of those technical skills to the OSM data in their country wasn’t appreciated by the majority of people in that country.
9 Likes
Yes, this one in particular, although I think the discussion has drifted somewhat from the current incident to consider other vandals whose intentions are less clear. My point is only that “They hate our freedom” misses the mark. Draconian measures against mappers would hamstring benevolent mappers while delivering neither a win nor a loss to the high-profile vandals we’ve been discussing. The vandals aren’t especially concerned with whether it continues to be easy to craft-map.
(By the way, I hope folks realize that technical proposals are simply going to get lost in all the noise in this big long incident response thread. Please do not Reply All asking to be removed from the thread etc. etc.)
2 Likes
Anyone who wants a map set up like that can do that right now - OSM’s tools cover that and the so does the switch2osm documentation. People selling third-party map solutions to their customers have chosen to use OSM’s “OSM Carto” QA layer (superimposed with all sorts of other stuff) because they are commercial organisations who would prefer to sponge off a non-profit** than spend their own money (even if doing that might only cost them from €10 a month).
** if this seems overtly cynical then that’s because the complaints to the DWG have now reached the stage where many are from these very customers. They have talked to their suppliers and their suppliers, rather than admit that they are trying to pass off OSMF CDN tiles with no SLA as a “service” (for which they are no doubt charging) have asked those customers to contact OSM.
12 Likes
What I think is going on is OSM (again) discovers that we seek the “many as one” principle with difficulty. We have a snapshot of time (between distributions) during we will always be tweaking with respect to efficiency and resource balance. This is an ongoing conversation we will forever have with ourselves about finding a balance between “effort” and “effect.”
Could / should an intelligent agent (human or machine) constantly “scan” these durations and offer a “thumbs up” vs. a “shields up?” Yeah, that does seem to be going on, and it’s a lot of exhausting largely / exclusively human effort. People burn out sometimes especially when attacks seem personal. (Andy, you are widely heroic). This is time-consuming effort.
The way we might say we can or do not “tier” users as to their capabilities and maybe something like a watchfulness score, well, anti-vandalism strategies (and effective practices and rules) pretty much does this tier-ing, if only as the first-line firefighters are doing. Large geographical areas being written as a changeset are already a suspect category, but often involve nothing more (to a determined vandal or an earnest contributor) than a easily-dismissed warning. These OSM-cha-like subjects may be (or partly are) part of this intelligence toolchain. Managing that is what I think we are talking about. We do already manage that, to a degree and level. I think close to if not 100% of that effort being human and kind of stressful at times. We are discussing finer points about it, and while that’s hard work, we’re doing it.
It’s not as easy as categories like “under attack” (though, there are threats) or “known bad agent.” Though, cyber strategies like those are what weaves our intentions together into a sturdy steel cable of consensus. This seems a significant conversation we’re having. Tons of good ideas, top notch people talking about things here like adults. Outstanding!
This really does deserve some “best among us conferencing at an event” thinking.
1 Like
I don’t see that as an issue. Rather raising concerns, think about what can be done. Eg. check each edit whether any name was changed and whether it correlates with a certain set of potential harmful words. if there is a hit, transfer that object to a tasking manager (like Maproulette) where trustworthy members review it. Add that ID to a list, if there is another change to that ID, just add it to the “ticket”.
That list of words must not be complete. If an attack is detected, it can be extended. If Penis is on that list, but Penistone is acceptable, that can be added to a whitelist.
Same would do for disputed edits or prominent objects.
For sure, someone needs to code that, someone needs to review that. Though I think the number of those will be large enough to handle that queue and in worst case you can program a timer, after 5 days it get’s automatically released.
Thanks Henning. Part of my point is that we must put the horse before the cart. We must decide how we must best be rather first. Then implement.
The alternative, ahem, is to be purely reactionary anarchy. Ahem.
We’re doing that (putting horse before cart). What we discuss here is putting intention into that. Not that there hasn’t been; I would announce a parade! Really, this is where our best “effort at intention” must shine.
We do some of this “tier-ing” of edits of data entering the database already. We don’t really call it that, but that’s what’s going on.
Put good consensus behind that and that’s a fast chariot. Let’s build that consensus.
We’ve come a couple of decades together. We keep getting smarter all the time.
I smell Task Force.
That made me stop contributing to wikipedia.
4 Likes
I don’t think that’s comparable. If you decide to change the name-Tag from the Berlin-place tag it’s better someone else takes a look at that. It doesn’t mean, all your edits have to get reviewed.
I agree with you and I would see a need on something, withholding vandalism or at least flagging it. In this case it was rather obvious. Nobody would have realized, if the person would have renamed some objects here and there.
By the way, our wiki has the same capability and we’ve used it quite a bit over the years, though probably with different standards than on whichever Wikipedia edition you used to contribute to. I hope you don’t give up on improving our wiki just because I’m holding the proverbial mop there. 
Agreeing with this 100%. Our wiki is a serious compendium of consensus over our decades together. It (and its continuing updates) continues to earn respect. It has its downsides and weedy back lots, too. It is an effective, even vital method of community.
There is a sort of lag (not exactly like with Wikipedia, but a more specific version of it) that goes “wiki chases map chases wiki chases map chases wiki chases map…” It is a beautiful dance, has played out over many years, and that ain’t nuthin.’ An evolution of consensus over decades.
Clay and I just rippled with some Amtrak - OpenStreetMap Wiki rail changes he did earlier today in a quick missive between us…something he and I and others have been tap-tapping on for many years. Our wiki is alive and well.
How much does OSM lose in goodwill to such “offenders” vs. bringing the hammer down and telling them there are low-cost options for them, “you have 90 days?” (And the Foundation will pull your plug).
It may be time for us to be adults and consider this cost-benefit, as it seems easy. OK, we might be generous with 120 days. Or January 1 2025. We are 19 going on 20. Some things are “free” (as in beer), some things are not. We have policies, let’s enforce them.
2 Likes
I understand the whole thing rather as something to leverage the effort it takes to destroy our data vs. the effort it takes our time to get that straight as well as the services we “provide”. I don’t care about the commercials. I care rather on the small mapper-run services (which can’t spend the 10 EUR/month) or the effort mappers spent advertising OSM, pointing it out to their friends as the “better Google”.
For sure any protection won’t be a 100% thing. But I think it;'s time to think about, how some kind of vandalism can be made unattractive.
I think, urging consumers to not free-ride OSM-Carto Standard View – aimed at providing instant feedback on mappers – is one very much useful measure to limit impact of minutely updated – but served through caches – use of the data provided by this noble experiment.
PS: Aren’t you in to tiles providing yourselves?
I was into rendering Garmin maps for myself and sharing them with others. If in that time I would need to make sure on my that the maps are “functional”, I would have not done that sharing part and maybe would have rather spent the 200EUR for a official Garmin Topo map and would not have contributed to OSM.
I would be interested in how your idea is doing so? Sure, I can in future redirect my friends to Meta run map based on overture… their reply would be, then I can also sell my soul to google 
I’m fully with you, someone who uses OSM as background in a commercial service should do this on their own or pay someone do it or leave it… But there are hundreds of small projects based on OSM, run by mappers, if everyone is doing such kind of “cleaning” we lose that workforce as mappers. Or we loose their services.
I’m thinking the same, it’s just too easy to vandalise something. And many of these situtation are very easy to spot. However in my opinion we should not do a “checking system”, but instead limiting the size of edits. It’s hard to imagine why would someone need to make a globe-size edit–even if this an import or automated edit, you will most likely make it in smaller parts anyway.
Of course, we would need to discuss what a “too big edit” is and who would be able to lift the limitation if needed etc., but I think this would be something to think about. This wouldn’t need an extra staff and probably wouldn’t bother anyone, as I don’t think many people make chagnes bigger than a country.
1 Like
I wonder, how many more scares are needed before we recognise the growing threat? It is painfully easy to disrupt the OSM ecosystem, and even if the central repairs after a few similar attacks become quick and effective, the damage lingers on for weeks. This hurts the entire project, mainly by affecting the trust people have in OSM.
Suppose it takes a year and then someone launches a different attack, of course avoiding the detections now activated. Would that be hard? Mmmm…
Will the ‘powers that will be’ say: we didn’t see that coming, we couldn’t know, we trying our best? Sure. Will some people say: you’ve had a warning and then decided to remain a sitting duck? Sure.
Ah well. It is what it is. Even OSM is not forever.
2 Likes
Frustration with Google’s approval based system is one of the reasons I started editing OSM in the first place. I ended up not being able to implement a new roundabout because I hit their limits for number of changes in a single edit.
I doubt we’d be quite that restrictive, but if they can’t make their second edit because their first edit is pending review then that could be an issue.
5 Likes
I have known since joining OSM in 2009 that vandalism is bad for the project.
We, as OSM, I believe (but do not know) have built many reactions and defenses to vandalism, and I salute all who do. Fighting against it is truly is something which all of us do, however small or large. To wit, this dialog is an important part of it…
As long as we keep talking about best strategies to address vandalism, good. Let’s see vandalism as an existential threat, because it is. There is nothing wrong with getting ahead of the curve of any threat. Consensus, especially as it may strengthen the effects of that and as it makes itself better known to others catches on, as it appears it is doing (again); wonderful.
But agreement takes agreement, so let’s start agreeing on things. “Vandalism = existential threat”, anyone?
I didn’t pull this fire alarm; there are such things as fire alarms.
Maybe powers-that-be have vandalism under control (I doubt that, I also salute the “good saves” of many and recent events), maybe vandalism is getting out of control (what Andy said). We continue good dialog here. I remain in listening mode again.
It really is difficult to stay on topic here, maybe mods break this apart a bit.
Edit: If you scroll back to the original post on this topic, you’ll see at least a dozen or more “splits” into many sub-topics here. I don’t think I’ve ever seen quite that extent of splitting into many sub-topics. This really is an important topic (with many sub-topics) and I hope our moderators can help “capture” the many (hundreds of) sentiments into the various directions this topic has split into. Thanks to everybody for continuiing contributions to this topic.
It’s definitely a threat to OSM and it’s getting existential for me, if I as a ordinary mapper can’t use “my” data anymore. That’s the case if I can’t simply use the data, if today’s European data is useless, tomorrow American data,… if I would need to do a huge amount of work to clean up the data before having something useful. Work a single hobbyist can’t do. If I depend on a 3rd party to use the data. That I can get elsewhere without putting mapping effort in.