PDA

View Full Version : Imposter warning



ToSeek
2009-Dec-14, 02:04 PM
Hi,

Recently the moderators (and others) have noted the emergence of new users who have names so similar to the names of existing established members that vBulletin gets confused. Specificallly, they will see the name "Reliable User" and use the name "Reliable-User", which for purposes of looking up profiles and such are identical so far as vBulletin is concerned. We are looking into ways of squashing this. (And if you're doing this, be warned that this is a ban-on-sight offense.) In the meantime, be aware of the situation and, if you see an example, please let me know via PM. Thanks.

ToSeek
BAUT Forum Administrator

Nick Theodorakis
2009-Dec-14, 02:32 PM
Could users request that certain names be "locked out" so they can't be used? For example, one might make the usernames "To-Seek" and "To Seek" unavailable by request.

One more question: are usernames case-sensitive?

Nick

swampyankee
2009-Dec-14, 02:52 PM
I would think that it would be fairly straightforward to add a bit of filtering software to the registration software to filter out names which are not sufficiently different from existing names. Obviously, how you define "sufficiently" is the difficult part, but I'd start by forbidding any new names with characters that vBulletin ignores, and those that differ only in case. One suggestion is to try googling for "Levenshtein distance."

Nick Theodorakis
2009-Dec-14, 02:58 PM
We'd have to make allowances for existing members; for example, there are two well-established posters with the usernames "publius" and "publiusr."

Nick

Fazor
2009-Dec-14, 03:34 PM
We'd have to make allowances for existing members; for example, there are two well-established posters with the usernames "publius" and "publiusr."

Nick

That's different. While they're similar to a reader, they're spelled differently and I'm sure the software picks that up. At least, I've never been confused as an admin by the software, just from the occasional user. :-P

Moose
2009-Dec-14, 04:07 PM
Could users request that certain names be "locked out" so they can't be used? For example, one might make the usernames "To-Seek" and "To Seek" unavailable by request.

1) How could the admin tell if this was done intentionally or maliciously? We'd wind up with a problem we'd have no way of solving, short of meticulous record-keeping.

2) You'd wind up hijacking your own profile, and making it difficult for others to contact you through it, plus you'd have trouble making changes to your own settings.


One more question: are usernames case-sensitive?

Usernames aren't case sensitive as far as registration and login. Moose = moose = MOOSE. But the board will keep the caps intact in the (similar but different) display name field.

Nick Theodorakis
2009-Dec-14, 04:13 PM
1) How could the admin tell if this was done intentionally or maliciously? We'd wind up with a problem we'd have no way of solving, short of meticulous record-keeping.
...

What I meant was, could users proactively ask that an currently unused username similar to theirs be locked out of future registration? Sort similar to the way that a company may register a number of domain names similar to their main one to make it harder for somebody to hijack their web traffic.

Nick

BetaDust
2009-Dec-14, 04:29 PM
Well the number of posts made, would be a clue.

If I see a "ToSeek" somewhere here, with less then 25,000 post's...

I'll hit Red Alerd. ;)

---
Thanks for the heads up, ToSeek.

--Dennis

ToSeek
2009-Dec-14, 04:34 PM
What I meant was, could users proactively ask that an currently unused username similar to theirs be locked out of future registration? Sort similar to the way that a company may register a number of domain names similar to their main one to make it harder for somebody to hijack their web traffic.

Nick

I tried to find a vBulletin setting that would let me do that. So far I have not been successful.

Fazor
2009-Dec-14, 04:38 PM
As popular as the vBulletin software is, I'd think this issue would have come up on other forums as well. Have you talked to their support people (if they have any)?

Jeff Root
2009-Dec-14, 07:45 PM
In order to lock out specific names, you might need to register them and
then ban them.

-- Jeff, in Minneapolis

chrissy
2009-Dec-14, 08:34 PM
So far it is the users who have a space in their names, like Jeff Root, the imposters are just adding the "-" between the first and second name ie: Jeff-Root and bingo, it takes over your account.

Nick Theodorakis
2009-Dec-14, 08:39 PM
So far it is the users who have a space in their names, like Jeff Root, the imposters are just adding the "-" between the first and second name ie: Jeff-Root and bingo, it takes over your account.

As Jeff suggested, is it possible to just register those variations and ban them, or does that also lock out the "original" account?

Nick

chrissy
2009-Dec-14, 08:51 PM
I have banned the imposters but it still remains on the origional users account, it doesn't ban the origional user but the rider.
Only an administrator can change the name of the imposter and it vanishes from the real users profile. This is how we can clear them so far.

Swift
2009-Dec-14, 08:51 PM
As Jeff suggested, is it possible to just register those variations and ban them, or does that also lock out the "original" account?

Nick
ToSeek has a system for dealing with the ones that are already created (at least once we learn about them). I won't elaborate.

The bigger issue is what could be done about the ones that don't yet exist. I suspect manually going through the list of all members with a space in their name, and doing what you suggest, would be a very big job, unless we can figure out a way to automate it.

Nick Theodorakis
2009-Dec-14, 08:57 PM
ToSeek has a system for dealing with the ones that are already created (at least once we learn about them). I won't elaborate.

The bigger issue is what could be done about the ones that don't yet exist. I suspect manually going through the list of all members with a space in their name, and doing what you suggest, would be a very big job, unless we can figure out a way to automate it.

You could let the users volunteer to police their own names. Could they submit a registration request with a note added they are requesting it to be locked?

Nick

Swift
2009-Dec-14, 09:02 PM
You could let the users volunteer to police their own names. Could they submit a registration request with a note added they are requesting it to be locked?

Nick
So, a user who has a user name with a space (like Nick Theodorakis, for example ;) ) would create a second user called "Nick-Theodorakis", then ask us to ban the new user?

We'd still have to ban the new user, and that couldn't be done by a moderator, only an administrator, because of the method that has to be used (if I'm understanding this whole thing correctly, I'm not the alpha-geek for this sort of stuff). I think this still might be a ton of work for our two admins.

Moose
2009-Dec-14, 09:08 PM
I suspect manually going through the list of all members with a space in their name, and doing what you suggest, would be a very big job, unless we can figure out a way to automate it.

As I said before, that would be a poison pill. If we did that, nobody with spaces in their name could reach their own profile. We'd have literally caused, globally, what we're seeking to prevent.

What we have is an irritant, not a crisis.

Best thing folks can do for now is that if you have a username with spaces in it, check your profile now and again. If you don't wind up in your own profile, let a mod or admin know. If we come up with a better way ahead, we'll let you all know.

01101001
2009-Dec-15, 01:03 AM
The bigger issue is what could be done about the ones that don't yet exist. I suspect manually going through the list of all members with a space in their name, and doing what you suggest, would be a very big job, unless we can figure out a way to automate it.

I think it's another reason to dump vBSEO (http://www.crawlability.com/vbseo/). I don't think it's a vBulletin problem. It think it happens because vBSEO creates search-engine-friendly URLs, but pretty much ignores everything but alphanumerics and "_" when generating the URLs, mapping all funny characters to "-".

That turned out to be the culprit during an earlier episode of confusion of multiple member names mapping to one member CP.

(The other reason, of course, is that "permalinks" don't work for everyone since vBSEO assumes everyone uses the page size setting of 30.)

ToSeek
2009-Dec-15, 04:09 PM
Okay, I found a vBulletin setting that limits the character set that's allowed in usernames. We'll see if that does the job.

Swift
2009-Dec-15, 04:18 PM
Okay, I found a vBulletin setting that limits the character set that's allowed in usernames. We'll see if that does the job.
Yeah, I mean we have more than enough characters around this place already.
http://www.philwoods.com/forums/images/smilies/rimshot.gif

Otherworldly
2009-Dec-15, 05:09 PM
Yeah, I mean we have more than enough characters around this place already.
http://www.philwoods.com/forums/images/smilies/rimshot.gif

Another self-affirming post :rolleyes:

slang
2009-Dec-15, 06:03 PM
I'm not sure if it's the same problem, but there's an imposter with my name, and the same post count and signup date, who sometimes posts something dumb.

Swift
2009-Dec-15, 06:10 PM
I'm not sure if it's the same problem, but there's an imposter with my name, and the same post count and signup date, who sometimes posts something dumb.
They live in the Netherlands and quote Charles Darwin and Jason Thompson in their signature? Yeah, we're on them, and are about to ban them permanently!

;)

HenrikOlsen
2009-Dec-15, 08:42 PM
Well the number of posts made, would be a clue.

If I see a "ToSeek" somewhere here, with less then 25,000 post's...

I'll hit Red Alerd. ;)
You probably won't, that's not the designed-in buggy behavior that's being exploited.

It's the braindeadness that thinks it's a good idea to construct the link to a user's profile by replacing spaces in the name with a hyphen and didn't consider that this is not a bijective function, so the link can't uniquely identify the user and thus will show the profile of the wrong person.

Banning the other name preemptively only makes the profile-link point to the banned profile so isn't a solution.

Torsten
2009-Dec-16, 02:59 AM
Would it be feasible for the spaces in existing user names to be replaced by underscores? That is, change the names of those users so that they essentially appear the same, but require the underscore upon login. (In case limiting the character set doesn't work out. Are there legitimate hyphenated user names that wouldn't work as a result of that?)

Otherworldly
2009-Dec-16, 04:42 AM
This sounds like a really appalling bug. So the software treats two IDs as distinct in some circumstances (at registration), but the same in others? :naughty: It would be perfectly OK to have multiple text strings map to the same logical user identity, but you've got to use the same mapping all the time.

sirius0
2009-Dec-16, 06:42 AM
Now if I tried to set up another account with the user spelt exactly the same as another I would not be able to. But obviously the initial registration can see the difference, allowing these other accounts, so why can't the login algorithm?

Otherworldly
2009-Dec-16, 06:44 AM
Now if I tried to set up another account with the user spelt exactly the same as another I would not be able to. But obviously the initial registration can see the difference, allowing these other accounts, so why can't the login algorithm?

Yep. It's OK to do it one way, and it's OK to do it the other way. It's just not OK to do it one way sometimes, and the other way other times :(

HenrikOlsen
2009-Dec-16, 07:30 AM
Now if I tried to set up another account with the user spelt exactly the same as another I would not be able to. But obviously the initial registration can see the difference, allowing these other accounts, so why can't the login algorithm?
Because the login algorithm is part of the core system and the "search engine friendly" links are generated by an add-on that lies for a living and lies badly at that.

If only the add-on designers had though of including the user id number in their pretty link so it had been e.g. .../henrikolsen-2600.html instead of .../henrikolsen.html, and used the number to identify the user so it would still uniquely identify the user regardless of character replacements, character set conversions and other transformations, it might actually have been good.

Same with the permalink, if they'd made it use the post number instead of page number it would have been great, as it is now it's just plain broken:(

Norman Castle
2010-Mar-08, 05:54 PM
Are you certain that anyone is doing it deliberately? After all, if someone uses their own name, it isn't all that unlikely to meet another user with the same or very similar name as them. Or if someone takes their username from popular culture, or it's a pun (like mine) it's not unlikely that someone else will want to use the same one.

Before I registered I checked to see if Norman Castle was unused. I didn't even think of checking NormanCastle or Norman-Castle or any other variations.

The solution is, if there is clear evidence of deliberate action you ban them as a troll. If there is no evidence, then it's likely just a co-incidence, and you instruct the newbie to pick a different name.

HenrikOlsen
2010-Mar-08, 06:08 PM
When someone creates a user named Captain_Swoop it's rather likely the deception is deliberate.
Incidentally, banning them isn't a solution as the name still shadows the real user.
They have to be renamed and/or deleted, which has to be done with great care because of the aforementioned lying piece of garbage add-on.

Norman Castle
2010-Mar-08, 06:29 PM
When someone creates a user named Captain_Swoop it's rather likely the deception is deliberate.

Is that based on an actual incident? I'm new here so I don't know. I see you have a "Captain Swoop" registered, but no "Captain_Swoop."

Anyway, a brief check on Google seems to reveal many different people calling themself "Captain Swoop." It seems to be originally a character in "Transformers" of which I have no knowledge at all. So I don't think it's altogether impossible that two different persons would pick that name on this forum just by chance.

HenrikOlsen
2010-Mar-08, 06:37 PM
Is that based on an actual incident? I'm new here so I don't know. I see you have a "Captain Swoop" registered, but no "Captain_Swoop."
We don't have the offending users registered under their bad name anymore, as that would mean they'd still be blocking access to the real user's profile.
What you may have missed is that Captain Swoop is a moderator, making the incident rather more suspicious.

Swift
2010-Mar-08, 06:58 PM
Is that based on an actual incident?
Yes it was and it happened to several well established members and moderators.

Buttercup
2010-Mar-08, 07:07 PM
A friend of mine in a different forum once participated in a poorly-moderated forum wherein trolls began routinely creating "duplicate" usernames (with one tiny character difference)...they'd post all sorts of nasty stuff as if "in reply" by the real person, pick fights; of course those folks quickly got themselves to a moderated board. :rolleyes: It's a real loser who'd take the time/effort to create such trouble.

The Backroad Astronomer
2010-Mar-08, 08:07 PM
If someone goes for Garnet_Star all you have to do is change your name again.

Nick Theodorakis
2010-Mar-08, 08:16 PM
If someone goes for Garnet_Star all you have to do is change your name again.

I think the next one on her list is Butterstar Garneticup.

Nick

HenrikOlsen
2010-Mar-08, 08:20 PM
Darth Butterstar:)

Buttercup
2010-Mar-08, 08:56 PM
:p :lol:

Provence
2010-Mar-08, 10:42 PM
How clever. The thread title is ambiguous, but both interpretations make sense.

FarmMarsNow
2010-Mar-09, 03:46 AM
I would think that it would be fairly straightforward to add a bit of filtering software to the registration software to filter out names which are not sufficiently different from existing names.
Maybe, but a pattern parser wouldn't catch all of the lookalikes. I wonder if you could bounce new names off Goog...you know who's server, if it has a function to return all similar words? Maybe there is a hack.

captain swoop
2010-Mar-09, 04:15 PM
I didn't know Captain Swoop was in transformers. I have used the name for years. It was a Superhero character an artist friend of mine invented back in the 80s.

Jim
2010-Mar-09, 05:40 PM
And the Transformers stole it! I smell lawsuit!!

Jim
2010-Mar-09, 05:45 PM
On a somewhat more serious note, if you look at the name of the poster in the pper left corner of the post, you'll see that it is underlined. One of the problems is that when so underlined captain swoop and captain_swoop (f'rinstance) are hard to distinguish.

pzkpfw
2010-Mar-09, 06:32 PM
| captain swoop | captain swoop |
| captain_swoop | captain_swoop |

The slightly longer (wider) underscore than space is not easy to spot, without reference.

Gigabyte
2010-Mar-09, 06:40 PM
Has anyone reported this to vBulletin®?

In all the boards that use vBulletin®, I have never heard of this.

Nick Theodorakis
2010-Mar-09, 07:03 PM
Not being able to distinguish an underline from a space when the text itself is underlined is not a problem with vbulletin specifically, but just one of things on the web. The more serious problem, which I believe was discussed upthread, is not with vbulletin but with an add-on that makes "search engine-friendly" urls out of the links vbulletin generates. Instead of having the user profile linking to some number id, it takes the username and substitutes spaces with hyphens. Thus if someone else registers as "nick-theodorakis" their user profile will have the same url as mine.

Nick

01101001
2010-Mar-09, 07:04 PM
In all the boards that use vBulletin®, I have never heard of this.

How about the ones that use vBSEO? I think the problem is that good solid distinguishable funny-charactered hard-to-read URLs that vBulletin generates are mashed into something "search-engine friendly" human-readable by the vBSEO addition. That makes links to user control points, where the usernames vary only by special characters, map onto one CP and cause conflict.

See earlier hint about vBSEO (http://www.bautforum.com/forum-rules-faqs-information/98073-imposter-warning.html#post1643258), this topic.

Maybe vBSEO has been fixed since it was installed here? I was hoping our upcoming vBulletin upgrade would somehow make vBSEO less stupid, or unnecessary.

ToSeek earlier did tweak vBulletin to restrict the funny characters in usernames, but it looks like underline is still allowed.

Edit. Scooped above by 1 minute. Well done.

Gigabyte
2010-Mar-09, 07:15 PM
This whole thing makes me glad I have a one word user name.

And didn't go with my first choice, "He_who_is_awesome".

HenrikOlsen
2010-Mar-09, 08:40 PM
How about the ones that use vBSEO? I think the problem is that good solid distinguishable funny-charactered hard-to-read URLs that vBulletin generates are mashed into something "search-engine friendly" human-readable by the vBSEO addition. That makes links to user control points, where the usernames vary only by special characters, map onto one CP and cause conflict.
And I suggested that it should have been done from the beginning by incorporating the numerical userid in the nice link so we'd have eg. an url with captain-swoop-5786 for "Captain Swoop" and captain-swoop-68245 for "Captain-Swoop".

vBSEO has several such designed-in nasty breakages, the "perma-broken link" is another, where a link generated by one user is useless for another user with a different setting for page-length because they refer to the page by number instead of by the actual post.

And later updated templates have incorporated the broken links even deeper in the system.

mugaliens
2010-Mar-17, 08:36 AM
On a somewhat more serious note, if you look at the name of the poster in the pper left corner of the post, you'll see that it is underlined. One of the problems is that when so underlined captain swoop and captain_swoop (f'rinstance) are hard to distinguish.

The "moderator" beneath the real Captain Swoop's name and the lack thereof for the imposter is a dead giveaway. :lol:

At least in his case. In mine, watch out for boojums in black hats wearing the mug_aliens nametag...

HenrikOlsen
2010-Mar-17, 05:24 PM
The "moderator" beneath the real Captain Swoop's name and the lack thereof for the imposter is a dead giveaway. :lol:
The second problem was that clicking on the real Captain Swoop's name got to the imposter's profile.

HenrikOlsen
2010-Mar-17, 09:12 PM
At least in his case. In mine, watch out for boojums in black hats wearing the mug_aliens nametag...
How about the ones wearing genebujold name tags? Shoot on sight?

mugaliens
2010-Mar-17, 11:13 PM
How about the ones wearing genebujold name tags? Shoot on sight?

:confused: That's cryptic...

01101001
2010-Mar-17, 11:42 PM
I love a good puzzle.

Trespinad
2010-May-01, 07:12 AM
So under the new system, is there an easy way to pull up a user's profile if a link isn't handy?

Before, you could just click on someone else's profile page, then type the name you really wanted in the appropriate place in the URL. Now that doesn't work. So you have to find a post. Or go through the member's list, but not everyone appears there.

To take an extreme example, suppose someone registered but never posted. How can I pull up that person's profile page? I don't know how to do it now.

HenrikOlsen
2010-May-01, 07:42 AM
Or go through the member's list, but not everyone appears there.
Actually, that's changed, now they do.

slang
2010-May-01, 08:53 AM
Welcome to BAUT, Trespinad!


Actually, that's changed, now they do.

Not quite. Trespinad isn't in there, and can't be found by using Search Members. Neither is unix1 whom I tried to look up the other day. So apparently at least newbie status doesn't seem to make the list.

BetaDust
2010-May-01, 01:31 PM
For me, only members with 10 or more post's show up in the list.

HenrikOlsen
2010-May-01, 03:29 PM
OK, I stand corrected. I had gotten the impression it was everyone when ToSeek changed the setting so banned/suspended users are visible in the list.

ToSeek
2010-May-03, 03:39 AM
OK, I stand corrected. I had gotten the impression it was everyone when ToSeek changed the setting so banned/suspended users are visible in the list.

It's been the case for a while that newbies aren't on the list - I didn't change that with the last modification.

caveman1917
2013-Feb-03, 10:46 PM
I suppose the mods are leaving the above spam post in for the irony about which thread it was posted in :)

Swift
2013-Feb-03, 11:08 PM
I suppose the mods are leaving the above spam post in for the irony about which thread it was posted in :)
I just sent them on their way. Given the dozens we kill, some slip through.

slang
2013-Feb-04, 06:13 AM
I suppose the mods are leaving the above spam post in for the irony about which thread it was posted in :)

Um, calling ToSeek's posts spam isn't very nice! ;)

See, silly things like that happen if you post about spam, instead of simply typing "spam" in the report post thingy (as others did in this case). I know you know this, but others might be reading this thread.

NEOWatcher
2013-Feb-04, 12:42 PM
I suppose the mods are leaving the above spam post in for the irony about which thread it was posted in :)
What above post?
After over 2 1/2 years this threads been idle, I haven't a clue about what you're talking about.

Swift
2013-Feb-04, 01:49 PM
What above post?
After over 2 1/2 years this threads been idle, I haven't a clue about what you're talking about.
There was a spam post posted, it somehow got approved, and now it has been deleted and the spammer has been banned.

As the zebra police said in the Gary Larson cartoon, move along folks, nothing to see. :D

caveman1917
2013-Feb-04, 09:29 PM
Um, calling ToSeek's posts spam isn't very nice! ;)

See, silly things like that happen if you post about spam, instead of simply typing "spam" in the report post thingy (as others did in this case). I know you know this, but others might be reading this thread.

I know, it's just that the irony that this one spam post that got through should, of all places, end up in a thread called "imposter warning" seemed funny enough to make the remark. I figured that, even after it got deleted and especially with Swift's reply, people would still figure it out.

HenrikOlsen
2013-Feb-26, 02:13 AM
The problem was with a particularly stupid add-on claiming to search engine optimize the urls to pages, but which was broken by design in several nasty ways including that different user names folded to the same profile page url which was how that trolling worked.
That [stuff] has thankfully been pulled so that trick doesn't work anymore.