|
|
| Author |
Message |
morgayn
|
|
Malicious Impersonation
| 
Jan 29 08:31 UTC 1996 |
Due to some rather silly and childish events of this late evening and
early morning, I have a question...what can the staff of Grex do when another
user purposely and maliciously recreates another user's old account to delete
old posts and wreak havoc? What kind of guidelines does Grex have to guard
users, and themselves, against such behaviour? What can they, within ethical
reason, do to avert and discourage such silliness?
The reason I ask is because the account I am entering this under was
my account for well over a year. I was silly and got myself on some mailing
lists which never seemed to receive my 'unsubscribe' messages and which caused
me to single-handedly lag grex with my mail. This account was deleted, and
I left it deleted in hopes that the mail would stop and that Grex could thrive
without my 400+ pieces of mail each day. I recreated myself as 'morgaene',
and have happily logged on under that name since.
This evening, I got into an argument with a fellow user, who shall
remain nameless because I do not wish to publically embarrass or humiliate
them. The aforementioned user decided to recreate my old account. This user
sent me a telegram from 'morgayn'. Another user informed me that the intention
was to delete my previous posts in conferences. I immediately mailed popcorn
and asked her to help. I also caught mdw in a chat and asked for his help.
Both staff members were quick to help me, mdw promising to put my
responses back, and popcorn immediately logging out the imposter and mailing
me the password so that I may change it and avoid this in the future. I thank
them both for their help. When logging back into this account, I found
evidence in my file listing that it had been tampered with. I do not think
this is appropriate behaviour, and I appreciate all of the staff's help.
Which leads me back to my original question, as users, what do you
think staff members should be allowed to do in such situations...how would
you like to see them handled...I am interested in seeing what fellow users
have to say here.
|
| 37 responses total. |
popcorn
|
|
response 1 of 37:
|
Jan 29 08:47 UTC 1996 |
Impersonating another user is not an acceptable use of Grex.
If the name or .plan of an account says it belongs to somebody, generally
staff will reset the password and give the new password to the person the
account claims to belong to. In this case, the account claimed to be a
re-creation of the same old morgayn account by the same person, so I reset
morgayn's password and gave it to the same person who had had the morgayn
account in the past.
I don't think this issue needs to turn into a big deal.
|
srw
|
|
response 2 of 37:
|
Jan 29 08:52 UTC 1996 |
Staff has had to deal with imposter accounts before. This is not the first
time by any means. Usually it is handled behind the scenes, but we do have
a standard response when a claim is made that an account is an imposter.
We do not consider it to be approprite use of Grex to impersonate another.
We reset the password on the alleged imposter account and send the new one to
the person whom the account claims to be owned by. This causes only minor
disruption if the accusation is false. (We do not turn the pw over to the
accuser, read that carefully.) and immediately eliminates the condition of
imposterhood.
I helped devise this policy, and I think it is fair and just. I would welcome
comments from users who agree or disagree. I believe this policy was executed
by popcorn when the accusation was made, and I consider that to be proper.
In general we are not interested in determining the identity of the imposter,
as that can be difficult and wastes our time.
|
srw
|
|
response 3 of 37:
|
Jan 29 08:52 UTC 1996 |
(Valerie slipped in)
|
morgayn
|
|
response 4 of 37:
|
Jan 29 09:01 UTC 1996 |
Please do not misunderstand my post. I do not wish for this to become a huge
issue, but I am interested in seeing what other users' opinions are. I was
also interested in seeing what the staff's opinions were. I was hoping that
I could avoid creating a huge issue by not using any names but my own.
In response to Steve, I think that the current way of handling the
situation is both fair, and efficient. I understand that grex staff members'
time is limited, and I would not want it to be wasted on petty frivality. I
don't want to seek 'revenge' against the user who recreated my account. I only
wanted to avoid deletion of my old posts. This was accomplished, and I am more
than pleased.
I entered this item more to get others' comments, and to express my
gratitude to the staff for their help.
|
tsty
|
|
response 5 of 37:
|
Jan 29 11:16 UTC 1996 |
this seems to hvae been handled just fine ... i would have thoght though,
that perhaps the old loignid with a diff UID might ahve prevented
someting from going all wrong ...
this sort of pseudo-grabbing adn protection does seem to be somewhat
dependent upon "knowing" at least one of the perns rather well, and then
again, there wouldn;t be much of a way around that, so withthe
excellent descriptions and responses so early .... this should not
become a "huge issue."
|
ajax
|
|
response 6 of 37:
|
Jan 29 12:28 UTC 1996 |
Sounds like a good policy is already in place. I can't think of a
better way to handle the situation.
|
davel
|
|
response 7 of 37:
|
Jan 29 12:46 UTC 1996 |
I *think* TS is correct, though I've never had occasion to test
it as such. Picospan stores the UID (user ID #, which from the system's point
of view is who the user *really* is) as well as the user's login name, in each
item & response. I *think* that a recreated account would not be able to
kill, or even freeze or thaw, items entered by the old account, or to
expurgate or scribble responses from the old account. Certainly, if there
were any files owned by the old account hanging around anywhere, the new
account would have no special access rights to them (though this is much
less likely to come up on Grex than on some systems).
|
brighn
|
|
response 8 of 37:
|
Jan 29 15:58 UTC 1996 |
I agree with Grex policy on this too. Out of curiosity, what if
sombody had activated the Morgayn account not out of malice but
simply because they liked the name? My understanding is that Valerie
handed the account back to Melly not because of the handle itself
but because of the plan... is that accurate? PResumably, if someone
had simply taken the handle, oblivious to Melly's previous use of
it, then things would have been acceptable?
(I was involved in the situation last night. That does not embarass
or humiliate me. There are motivations that are not evident in #0 and
will not be disclosed. This post is intended to clarify Valerie's
actions, not to find a loophole so something similar can be done again --
if not Ryan1 or Avi, after all. 8^)
|
bruin
|
|
response 9 of 37:
|
Jan 29 16:40 UTC 1996 |
On a related note, somebody copied a Grex post I made from Winter Agora into
the Sex conference of M-net under the login "barebear" thus giving the
impression that my planned Hot Tub Birthday Bash was going to be a sex orgy.
I have since canceled my Oasis Hot Tub reservation and have notified staff
of both Grex and M-Net about this unauthorized use of my Grex post in the
M-Net sex conference.
|
jazz
|
|
response 10 of 37:
|
Jan 29 18:04 UTC 1996 |
Sheesh. Behave, child, and beware the wrath of UNIX wizards, for they
are subtle and quick to anger.
|
arthurp
|
|
response 11 of 37:
|
Jan 29 18:36 UTC 1996 |
I think the present policy is a good one.
I wondered what happened to the Oasis party. I am sorry to here
the bad news bruin.
|
robh
|
|
response 12 of 37:
|
Jan 29 18:55 UTC 1996 |
Re 8 - We've been through that hypothetical situation before.
Or have you forgotten the two mlady's already? >8)
If the user had simply chosen that login id, and not put any
info in their .plan to suggest that they were deliberately
impersonating the other user, then staff probably wouldn't
have done a thing. I know I wouldn't have.
Re 10 - I don't think I'm all that subtle, really. >8)
|
brighn
|
|
response 13 of 37:
|
Jan 29 19:37 UTC 1996 |
John, that wasn't a terribly constructive post, especially since
I was uncertain who it was addressed to. I might point out that
it sounded like a threat. I realize it was meant as a joke, and
that's in fact exactly what I took it as, whoever it was addressed
to (if anyone at all :} ). But this is an emotional issue, so I'm
not certain how helpful humor of that sort is. *shrug*
YEs, Rob, but the MLady situation is slightly different than the
one I suggest. In Barbra's case, she was not around to comment.
I'm referring to a situation where a user has been asked to retire
a handle (for whatever reason... in Melly's case, it was accidenta;
mail spool abuse) and that handle is picked up by another user.
And yes, I'd supposed the situation would be the same... "Finders
keepers, losers weepers"... but I just wanted to clarify. Thank
you for having done so. :)
|
kerouac
|
|
response 14 of 37:
|
Jan 29 20:26 UTC 1996 |
Obviously no easy away around this particular situation. In this
case no harm was done because staff knew that "morgaene" used to be
"morgayn", but if this involved a user who wasnt validated or at
least well known it would be a sticky case of one login's word
against another.
Therefore this has to be something considered on a case by case
basis and cant be a uniform policy. Couldnt staff have re-routed
morgayn's mail or stopped it without reaping the login itself? Or
if it had to be reaped, make it a mail alias so noone else can get it?
Maybe this is another argument that there should be a policy
in general regarding old logins. This could have been avoided, for
instance, if newuser didnt allow old logins to be reused for six months
or a year after they'd been reaped. I'd still be against a permanent
"retired" list, but surely a "this login has been temporarily retired"
for a limited amount of time wouldnt do any harm and might help avoid
situations such as this.
|
steve
|
|
response 15 of 37:
|
Jan 29 20:38 UTC 1996 |
The mailing lists she was on at the time seemed deaf. When I heard
that she wasn't super attached to her account and offered to get another,
I thought to myself, now we won't have to deal with humans at some site
about this. Yes, its possible to reroute mail, but it still comes into Grex,
and that was a large part of the problem--link bandwidth being used.
I'm still against any kind of grace period for used logins, simply
becuase this happens so infrequently. I haven't kept track of the number
of times that ids have been reused for bad purposes, but I'm certain its
less than 20. Condifereing that we've created in excess of 39,000 accounts
here now, this is a minor problem in the grand scheme of Grex. I know its
painful when it happens though--hope no one thinks I'm trying to diminish
things.
|
brighn
|
|
response 16 of 37:
|
Jan 29 21:37 UTC 1996 |
Even though Melly is well known on Grex, Ker, the issue of he-said-she-said
is still a problem, since #0 contains some inaccuracies and exagerrations.
As with MLady (which any of several users could have asked to caretake),
the handle Morgayn could have been used by Melly, either as an account
or a mail alias, within a few weeks of the incident, allowing enough time
for the mail list admins to get it through their skull that she didn't
want to be on their lists. It isn't Grex's responsibility, IMHO, to do
preventive maintenance to prevent this sort of incident, since the number
of times it happens is so small compared to the number of times it
doesn't. There are opposite situations: the handle moon was taken by
someone who logged in once or twice (as I understand it) and never came
back. Anne Perry wanted it (her best friend at the time being sun), and
asked Popcorn for it. I believe the reaping period had passed, but not
by much. If there were an obligatory 1-year wait, that would have kept
Anne from using a handle which for all intents and purposes had no
meaning to anyone else. I'm certain that this sort of thing happens
frequently; when I wanted to create a pseudo last week, I found out that
it was also taken, by somebody who registered three months ago and never
logged in a second time... I didn't bother asking for it, but I would've
seen no reason for a request for it to be denied.
Case by case is a good thought, but without a standard policy users can
too easily complain of mistreatment. That was a concern here, since one
of the staffers involved and I have a history of hostility towards each
other. Since there was something of a standard policy to fall back on,
I (so far) have no complaints of mistreatment.
|
kerouac
|
|
response 17 of 37:
|
Jan 30 01:52 UTC 1996 |
Brighn, the idea is keep staff from getting involved or having to
get involved in what are essentially personal disputes between users.
Staff shouldnt be put into a situation where subjective decisions
have to be made and they are asked to take sides. This is the sort of
thing that can cause a bad political climate on a board like this.
Maybe the bogus "morgayn" was a real person, but staff took Melly's
word for it because they knew her. Since there is no goodway to
deal with this, the logical thing to do is to take steps to keep
this from happening at all. So let every reaped login be on
a "retired" list for six months. I dont think it would inconvenience
that many people (Anne for instance is "mooncat" instead of "moon"
which she probably likes better anyway) And keeping old logins
retired for a period of time would also avoid new users from
possibly getting the old logins mail.
|
carson
|
|
response 18 of 37:
|
Jan 30 02:31 UTC 1996 |
If the bogus "morgayn" wasn't really Mel, I doubt that the .plan
would have referred to the "morgaene" account. :P No one's
disputed that fact, and you really shouldn't casually ignore it
for the sake of speculation.
FWIW, I've met someone who happened to use a login ID that I
once used. We've become friends, and likely wouldn't have met
without the common bond of that particular ID.
Neither of us use it anymore, either. :)
|
mdw
|
|
response 19 of 37:
|
Jan 30 02:54 UTC 1996 |
I was able to talk both with morgaene & with the person who had
recreated the morgayn account, & I'm quite convinced that #0 here is
substantially correct. These situations often do have a fair amount of
subjectiveness to them, and there is certainly additional background
that helps to explain how this situation arose, but in this case, that
turned out to be irrelevant. It's not possible for staff to "fix"
inter-personal problems; at best, all they can do is offer advice.
It is definitely the case that PicoSpan goes only by UID when deciding
who owns a response. The only time reaping becomes a technical issue is
when a fair-witness is reaped, in the case of memberships, or in the
future if we decide to recycle UID's.
|
kerouac
|
|
response 20 of 37:
|
Jan 30 03:09 UTC 1996 |
Shouldnt fw's be put on the immortal list as a rule while they are
fw's? Not that this is likely to happen, but fws have been reaped
before Im sure and someone, knowing the fw is about to be reaped,
could pounce on that login and take over a conf just to create chaos.
Unless staff is made aware that an fw has been reaped, someone could
just step in and take over as fw with the same login without cfadmin's
knowledge right?
|
carson
|
|
response 21 of 37:
|
Jan 30 03:30 UTC 1996 |
I doubt it, if the process is anything similar to M-Net's. If an
account is reaped, the reapee loses FW privileges. I don't think
that Grex goes through the bureacracy that M-Net does to make
sure that happens.
|
brighn
|
|
response 22 of 37:
|
Jan 30 08:37 UTC 1996 |
Ker, you do spend a lot of time on complicated speculation.
How would someone get such an account? The UID, not the name
on the account, is certainly as relevant to FW power as to
post and item creation and such... the only way to get access to
the UID, as far as I can tell, is to hack the account and steal
the password. That is as much of a danger with active accounts
as it is with those near reapage. Furthermore, conferences with
important enough discussion that havoc could be created by such
a hacking would, presumably, be monitored by people who would know
that's up ... for instance, in the Poetry conference, enough people
complained that peacefrog seemed to be absent entirely as FW or
as poster. It seems unlikely that a conf would go long enough with
an FW who is near reapage without suspicion being raised when said
FW allegedly reappears and starts rampaging.
At any rate, other than hacking the password, how would anyone who
is not the proper holder of a handle be able to wreak such havoc?
Also, what's to prevent someone from saying, "Hi, I was FW of Conf
Stuff and I had family problems that caused me to leave Grex for
six months. Now my account's been immortalized, and I can't get
it back. Can I have my FWship back?" when all of that is a lie?
Or am I missing something, Ker?
|
bruin
|
|
response 23 of 37:
|
Jan 30 11:27 UTC 1996 |
By the way, I have canceled the Oasis Hot Tub Party after the M-Net incident.
Anyway, the FW of the sex conference agreed to kill the item in question.
|
carson
|
|
response 24 of 37:
|
Jan 30 12:50 UTC 1996 |
I think I said basically what brighn did without the verbiage. ;)
|