tea.mathoverflow.net - Discussion Feed (It's easy to mimic another low rep user)

Ben Webster comments on "It's easy to mimic another low rep user" (2175)

2010-01-28T00:10:57-08:00

What's sad is that for about the first second and a half I was looking at "Bon Wobster"'s post, I was thinking "wait, I never commented on this thread."

Of course, Ilya made the mistake of putting too much effort into spoofing me; sticking with "bwobster" would have been more life-like.

Anton Geraschenko comments on "It's easy to mimic another low rep user" (2044)

2010-01-21T12:44:14-08:00

Re Harry's joke: yes, I do check to make sure that two users are really the same before merging them. For example, if the two users have the same IP (which is tough to spoof) and submitted the same email address (again tough to spoof since you can't see what email anybody else used), I can be fairly sure they're the same person.

Anton Geraschenko comments on "It's easy to mimic another low rep user" (2041)

2010-01-21T12:33:55-08:00

@ilyaraz: done. Let me know if you have any other problems.

ilyaraz comments on "It's easy to mimic another low rep user" (2036)

2010-01-21T12:11:51-08:00

@Anton: could you please merge http://mathoverflow.net/users/3436/ilya-razenshteyn and http://mathoverflow.net/users/3448/ilyaraz ?

Bon Wobster comments on "It's easy to mimic another low rep user" (1144)

2009-12-17T11:19:21-08:00

@Harrison,

I kind of wish meta had bounty; I'd pay up to see a post from, for instance, "Bon Wobster" that gave something that looked like a mit.edu email that actually worked. (Provided of course that it wasn't actually by Ben Webster.) As it is, I guess you'll have my respect?

Looks like I'm just in time for the discussion! I'm the real Bon from MIT. Check this by sending an email to unknot (full address not given to present spamming). Everyone else who may appear under the name Bon Wobster will be spoofing me!

(Seriously, though, this is Ilya Nikokoshev. Now I've been spoofed and I'm spoofing. I hope there are no badges for this.)

Harrison Brown comments on "It's easy to mimic another low rep user" (1142)

2009-12-17T09:50:54-08:00

@Andrew: "That it can happen is not sufficient to demonstrate that it will happen." So it's probably relevant to note that before I abandoned the applied plane entirely for the Platonic realm of pure math, I was really into cryptography and computer-security issues. I wasn't really part of the communities (I mean, we're talking "when I was in high school" here), but I lurked around the edges enough to pick up some of the philosophy, a major part of which involves assuming things in your technical work (e.g., some nontrivial proportion of the world's computers can drop everything they're doing and try to break your code, there's someone who can listen in on any unencrypted telephone or email conversation, etc.) which would pretty much get you hospitalized if you professed to believe them in your private life.

So I think most of our disagreement stems from just a genuine philosophical difference, where my vestigial inner cryptographer requires me to be maximally paranoid when it comes to these matters. But I'm veering off-topic and have made the actual point I wanted to make as clearly as I'm gonna make it, so I'll shut up now. :)

Andrew Stacey comments on "It's easy to mimic another low rep user" (1141)

2009-12-17T09:05:59-08:00

Okay, I misremembered about needing an email address. However, it can be made a requirement - we do that on the n-forum. Also, moderators can be informed when someone wants to create an account, and also it can be set up so that a moderator has to validate a request for membership.

I'm still not convinced that this is a problem likely to occur here. That it can happen is not sufficient to demonstrate that it will happen. That's my real point: why would anyone bother to create a fake user here? I can see why over on MO, but it just makes no sense here.

However, as I've said, there are things that can easily be done to make it more difficult. I've mentioned a few of them already. If you are really concerned then I suggest that you head over to the vanilla website and have a browse through the add-ons there to see how other people have solved this problem - it's a sure bet that you're not the only one to have thought of it and people with far bigger forums (fora?) will have come up with good solutions.

If the moderators want to know what we've done on the n-forum, or how to implement some of the other things I've mentioned; well, they've got my email address!

llya Nikokoshev comments on "It's easy to mimic another low rep user" (1139)

2009-12-17T08:12:12-08:00

For instance, I am not actually Ilya; I am Harrison. But if you're not paying close attention, my name looks like Ilya's, and if I wanted I could say something malicious and petty here that could possibly hurt how people view the actual Ilya. Even though this would presumably be quickly corrected, there actually is the potential to do some lasting damage here, especially if Ilya had some quirk that I could exaggerate and turn into a major flaw. Drawing again on a political analogy, witness how many people genuinely or subconsciously believe that Sarah Palin said "I can see Russia from my house!"

Maybe this better illustrates the point I'm trying to make? I don't know.

Harrison Brown comments on "It's easy to mimic another low rep user" (1138)

2009-12-17T08:03:57-08:00

Well, assuming you can see "Gregg Kuppperberg"'s comment (and I can't think of a particularly good reason why you couldn't -- I can, so unless meta.MO is doing something weird involving IP addresses, so can everyone else), there's a counterexample right there to the claim that you have to have a valid address to register. I'm just trying to point out that identity spoofing is even easier on meta.MO (since the only identifying information you see without clicking through to a profile is the user handle), and this could be used maliciously.

Andrew Stacey comments on "It's easy to mimic another low rep user" (1135)

2009-12-17T07:16:39-08:00

What do you mean by "spoof an email address"? It was a long time ago that I registered for this site so I don't remember all the details, but I seem to recall that you have to have a valid email address to register since you get sent a link in an email to that address. Therefore you can't just put in any-old rubbish in the email field.

So I could attempt to create a fake user here that was pretty close to someone real, but I couldn't do it perfectly unless I had access to their email account and so there would be a trace for the moderators to find and see that I wasn't who I said I was. Now, obviously the danger is that the moderators might not look for fake accounts, but once there was cause to be suspicious then it shouldn't be hard to figure out that X was not Y.

However, if you are determined to find solutions to problems that don't exist, then there are several available. It's possible to add extra data to users' profiles, so you could add their userid on MO (which is unique, mine is 45 by the way) to their profile here. Similarly, on MO you could add their userid here (4, in case you're interested). Another way, which would also earn you universal acclaim in the vanilla community, would be to write a plugin for openid-enabled login here.

But whatever you favour, it's important to remember that there is never going to be a full solution to this problem so the issue is not solving it, but finding the balance that makes it more difficult to do here than the rewards would be whilst not putting up so many barriers that legitimate users get annoyed.

Harrison Brown comments on "It's easy to mimic another low rep user" (1133)

2009-12-17T05:40:11-08:00

@Ilya: Of course "if it ain't broke don't fix it," but it's probably good to know about potential holes here, too.

@Andrew: It's not that hard to spoof an email address either, though, right? Particularly if you're spoofing someone who doesn't primarily use an address with a .edu TLD or equivalent (e.g. me) although I'd be surprised if there wasn't some tricky way to spoof .edu emails as well. "Gregg Kuppperberg" had an obviously fake address, something like "sorry@icouldnthelpmyself.com", but I wasn't particularly going for realism there.

I kind of wish meta had bounty; I'd pay up to see a post from, for instance, "Bon Wobster" that gave something that looked like a mit.edu email that actually worked. (Provided of course that it wasn't actually by Ben Webster.) As it is, I guess you'll have my respect?

By the way, I don't have a problem with the benevolent dictatorship at meta either. I'm just worried that it might be possible to fool the benevolent dictators along with everyone else. I agree that some way of connecting meta accounts with MO accounts would plug the hole, though...

Andrew Stacey comments on "It's easy to mimic another low rep user" (1131)

2009-12-17T04:40:43-08:00

Moderators can see email addresses and you have to have a valid email address to get a login. There's an add-on that ensures that the same email address can't be used twice, which makes it slightly harder for someone to have two accounts here (one to be nice and one to be nasty!), though not much harder. (I don't know if that add-on is installed here or not.) I know that that's the opposite problem, but it's the same basic issue.

Given that MNMO (Meta's Not MO), I'm not bothered about having definite Overlords here who can do things that I can't (like seeing people's email addresses). So far they've shown themselves to be fair and I'm happy to let them get on with the job - I have enough to do with policing my own demesnes and have no wish to add to that.

Ilya Nikokoshev comments on "It's easy to mimic another low rep user" (1129)

2009-12-17T00:58:22-08:00

Theoretically, one can post their Meta account number on MO profile, making it possible to verify a Meta identity.

Of course, we'll need to establish first that there is a real problem with mimicking users before we start solving it :)

Harrison Brown comments on "It's easy to mimic another low rep user" (1117)

2009-12-16T14:12:37-08:00

Actually, though, something like "David Spayer" registering *could* happen on meta.MO, as my tiny attempt at a joke above indicates. And since there's no such easy identifying features as badges or reputation on meta, it's a potential issue.

(David, I realize that's not how it's pronounced actually, but it's still how it's pronounced in my head. So it was the first example I thought of.)

Gregg Kuppperberg comments on "It's easy to mimic another low rep user" (1116)

2009-12-16T14:07:38-08:00

"everyone would notice if 'Gregg Kuperberg' showed up with a reputation of 1 and no badges."

Well, I hardly think I'm that famous, but thank you anyway!

(Sorry, it had to be done. I'll go back to my regular account now.)

Michael Lugo comments on "It's easy to mimic another low rep user" (1109)

2009-12-16T13:01:15-08:00

This unregistered account problem seemed to happen a lot very early on, before some of the issues with OpenID were sorted out.

In particular, http://mathoverflow.net/users/143/michael-lugo is my real account; http://mathoverflow.net/users/144/michael-lugo somehow accidentally got created.

davidk01 comments on "It's easy to mimic another low rep user" (1085)

2009-12-15T17:42:51-08:00

I was wondering about this myself. How does MO keep track of its users if the user names are not unique. Is there any kind of unique identifier that is kept track of? The only thing I can think of is the openID I use to log in.

Ilya Grigoriev comments on "It's easy to mimic another low rep user" (1084)

2009-12-15T17:15:52-08:00

@Anton: Could you please merge my two unregistered accounts into my main account, just for the sake of orderliness? They are:
http://mathoverflow.net/users/2467/ilya-grigoriev (the main one)
http://mathoverflow.net/users/420/ilya-grigoriev
http://mathoverflow.net/users/411/ilya-grigoriev

Thank you!

Sonia Balagopalan comments on "It's easy to mimic another low rep user" (1081)

2009-12-15T13:44:35-08:00

Slightly off-topic, but http://mathoverflow.net/users/1438/gowers needs to be merged with http://mathoverflow.net/users/1459/gowers, I'm pretty sure.

Anton Geraschenko comments on "It's easy to mimic another low rep user" (1080)

2009-12-15T12:51:48-08:00

Display names are not unique at all. You can make your display name anything you want, even if another user is already using it. People will have to just tell you apart by your user numbers or by your avatars. I can't think of a way to improve the situation (I actually think it's pretty close to optimal, given the identity spoofing is pretty much impossible to truly prevent).

The different Erwins are all the same person (at least they all came from the same IP and used the same email address). I've emailed the user, asking him to register an account, after which I'll merge them all into one.

Automatic retrieval of orphaned cookie-based accounts is planned for a future version of the SE software (hopefully it will be in the next beta), so people will be able to get back their unregistered accounts even if they lose the cookie.

Scott Morrison comments on "It's easy to mimic another low rep user" (1079)

2009-12-15T11:56:02-08:00

For reference, here's a copy and paste of the deleted page:

just a try to do vote up -7 vote down star

try to get a fake account numerical-analysis mod|edit|close (1)|undelete

asked 2 hours ago Erwin 1

1 I flagged this as spam. I think if enough people do this it gets automatically deleted. – Jonas Meyer 2 hours ago [delete this comment] Oh, are you the same Erwin as mathoverflow.net/users/2605/erwin ? I had made a different assumption (see meta.mathoverflow.net/discussion/101/… ); I apologize. Merging registered and unregistered accounts seems to be tricky. For now, the best solution seems to be to e-mail Anton: geraschenko@mathoverflow.net – David Speyer 2 hours ago [delete this comment]

locked by Community♦ 2 hours ago

deleted by Community♦ 2 hours ago vote up 0 vote down

Sorry, yes it is a kind of spam. I just tried to catch the cookie from my earlier post. But I messed up the tags (I wanted to take an unknown one which would have prevented the posting.) mod|link|edit|undelete deleted 2 hours ago

answered 2 hours ago Erwin 1

David Speyer comments on "It's easy to mimic another low rep user" (1075)

2009-12-15T11:29:15-08:00

Right. The second one posted a very strange question (now deleted) which looked to me like it was challenging us to figure out how to impersonate a user. (The title was something like "try to make fake account".) It is now my understanding that the question was an unsuccessful attempt to merge the accounts.

rwbarton comments on "It's easy to mimic another low rep user" (1073)

2009-12-15T11:00:44-08:00

Those are both unregistered users, and it looks to me like they really have the same name. My understanding is that it's possible to accidentally create a duplicate unregistered user if you lose the cookie the site gives you when you create the first one. In particular, if you are an unregistered user, you should not assume that others cannot impersonate you (you have staked no claim to your username).

Harald Hanche-Olsen comments on "It's easy to mimic another low rep user" (1072)

2009-12-15T10:31:05-08:00

Discussion at where? (Page does not exist.) And some times you have to exploit a hole to be sure it exists.

David Speyer comments on "It's easy to mimic another low rep user" (1071)

2009-12-15T09:42:02-08:00

I may have jumped the gun here. See discussion at http://mathoverflow.net/questions/9004/just-a-try-to-do . (ED: the page has been deleted, so you won't be able to see anything here)

David Speyer comments on "It's easy to mimic another low rep user" (1070)

2009-12-15T09:36:40-08:00

You can take one low rep user, such as http://mathoverflow.net/users/2605/erwin and create an account which displays as the same user, such as http://mathoverflow.net/users/2607/erwin . I assume that the latter account contains whitespace or some nonprinting character in the name. (This trick won't work with a high rep user, because everyone would notice if "Gregg Kuperberg" showed up with a reputation of 1 and no badges.)

Obviously, this is extremely rude and the ersatz-Erwin should be discouraged from ever doing this again. Since his intent was clearly to point out the security hole and not to actually mimic Erwin, we simply need to tell him that the polite way to point out a security hole is to file a bug report, not to exploit it. If anyone actually tries to cause harm in this way, they should be banned.

I'm opening up this thread for discussion of how to prevent this in the future. One way is to ban whitespace and nonprinting characters from usernames. I think this might be a losing arms race though. Better ideas?