As the former U.S. president, I am proud to be a fellow member of this community. Despite evidence pointing to the alternative, I am confident impersonation will not be an issue.
-
Signed
- Barack Obama, former U.S. president
As a doctor of humanology, I have examined and can confirm this is the real Obama.
We all know your degree is in art history!
Thanks Mr. Krabs!
Thanks, Obama
I hope this becomes a Lemmy meme
damn, he was killing off subreddits before it was cool
That’s impossible. I know it can’t be the real Obama since he said he only uses Tildes.
It’s signed all official like so it’s clearly legitimate.
-
While there are technical solutions to that problem, realistically it’s only a problem if people start thinking they’re celebrities. Personally I prefer a platform that lets people dunk on celebrities.
There’s value in knowing if a response is from a specific person, even if they aren’t a celebrity.
But if you want to confirm which instance a username is from, you can do that. Even if reader apps hide it, you can always check the web page.
Yeah but who’s going to bother doing that?
If you can’t be bothered to check you probably don’t need to know who the author really is
I guess anyone who cares enough? You’ll still need some sort of external confirmation anyway.
Sync for reddit had a way you could tag users with labels like “so and so celeb”. I’m sure Lemmy apps will evolve something similar.
The app I’m running (Mlem) shows that you’re lemm.ee while the other RickRussell_CA is lemmy.world when I click on either of your names.
I think that’s an easy enough lift to sort it out, (though direct display might still be better).
Damn, straight up doxxed a fella. Cold af
Mlem has an option to always display instances under usernames
Haha, Liftoff! to the rescue. Full usernames FTW
If you can’t be bothered to check you probably don’t need to know who the author really is
Anyone who actually needs to know that info
If you can’t be bothered to check you probably don’t need to know who the author really is
As a long time reddit moderator, people creating similar usernames to impersonate another user is definitely a problem. That was instantly bannable in all the subs I’ve moderated.
Having color coded usernames calculated based on their full user/ host could help. Something like https://gustu.github.io/string-to-color/. That would make it more obvious that two users aren’t the same user.
In the subreddits dedicated to the Cosmere multiverse created by Brandon Sanderson, who is an active redditors, we had a meme of pinging something close to but not actually his username. Especially when it wasn’t something worth wasting his time.
But yeah, completely agree. I am sure it was frustrating.
As a long time reddit moderator, people creating similar usernames to impersonate another user is definitely a problem. That was instantly bannable in all the subs I’ve moderated.
Having color coded usernames calculated based on their full user/ host could help. Something like https://gustu.github.io/string-to-color/. That would make it more obvious that two users aren’t the same user.
As a long time reddit moderator, people creating similar usernames to impersonate another user is definitely a problem. That was instantly bannable in all the subs I’ve moderated.
Having color coded usernames calculated based on their full user/ host could help. Something like https://gustu.github.io/string-to-color/. That would make it more obvious that two users aren’t the same user.
I often get mistaken for Margot Robbie
I sometimes get mistaken for the human pope, while you can clearly see that I’m the raccoon pope.
Hashtag relatable
If I become a celebrity, you can dunk on me.
I’m strongly of the opinion that we should never be hiding the domain for either communities nor users. The domain is an important part of both of those. !Technology@beehaw.org and !Technology@lemmy.world are entirely separate communities and may have very different rules, so it’s important to know which one you’re on.
And for users, impersonation aside (because let’s be honest, impersonation could just as easily utilize display names or look-a-like characters), there’s also just plain confusion from legitimate users. Common usernames are totally going to be used across multiple servers. If you’re seeing comments from
john@smith.nameand alsojohn@lemmy.world, you’re gonna wanna be able to tell them apart (display names kinda run counter to this and I’m not certain they’re a good idea).display names kinda run counter to this and I’m not certain they’re a good idea
i think they would be a good idea if they worked like they do on mastodon: you get the display name and profile pic displayed prominently, but you still have the full username displayed below, with the domain included.
I think this is the only solution that makes sense, just like in email you always append your domain, whether is gmail.com or your own.
I agree. The domain is an important part of knowing what to expect. Different instances hold users to different standards. At very least it’s a differentiation between two users with the same name on different instances
No. The way Reddit works is that you care about the content, not the people posting it.
Mastodon must have a bigger problem with that (impersonation), but I don’t know if/how they solved it
I agree. An AMA would be hilarious with several imposter accounts answering people’s questions.
I am Hugh Jackman and I agree. Hope you enjoy my movies
Mastodon allows you to verify an account by adding a link to your Mastodon profile on a website you control, which will make the website marked as verified in the profile. It’s only worth as much as the trustworthiness of the website itself though.
The way Reddit works is that you care about the content, not the people posting it.
That’s mostly true, but not entirely. The OP of a thread should be a distinguished role, since their updates have significance in things like AMAs. It would also be good to highlight situations where a different person has joined a reply chain - if you have been having a 1:1 back-and-forth, and you see a new reply in that context, it’s easy to assume it’s coming from the same - an assumption that might make you incorrectly reference prior claims in the conversation as if they were made by that person.
RIF did the former, but not the latter (AFAIK).
it already is though. you get stuff like “creator”, “mod”, or “admin” appended next to usernames, at least on the web ui (“creator” means op, idk why they worded it this way)
This isn’t reddit
Eh. I use this for a videogame development community, and the sort of trolling we’ve had on Reddit would absolutely fit with someone trying to impersonate one of the developers to cause shit.
In fact that actually happened once on one forum.
Removed by mod
Holy shit! You just turned email addresses into lemmy posts/profiles!
Removed by mod
The way Reddit works is that you care about the content, not the people posting it.
That’s mostly true, but not entirely. The OP of a thread should be a distinguished role, since their updates have significance in things like AMAs. It would also be good to highlight situations where a different person has joined a reply chain - if you have been having a 1:1 back-and-forth, and you see a new reply in that context, it’s easy to assume it’s coming from the same - an assumption that might make you incorrectly reference prior claims in the conversation as if they were made by that person.
RIF did the former, but not the latter (AFAIK).
Right. Cause reddit never had celebrities or well known accounts. /s
Yes and they would have their identity verified by the sub
deleted by creator
The way Reddit works is that you care about the content, not the people posting it.
That’s mostly true, but not entirely. The OP of a thread should be a distinguished role, since their updates have significance in things like AMAs. It would also be good to highlight situations where a different person has joined a reply chain - if you have been having a 1:1 back-and-forth, and you see a new reply in that context, it’s easy to assume it’s coming from the same - an assumption that might make you incorrectly reference prior claims in the conversation as if they were made by that person.
RIF did the former, but not the latter (AFAIK).
deleted by creator
As far as I can tell the full username is only hidden on the same instance. So for instance, I see your full user name, but I only see the shortname for mine.
Mhm strangely your Name is shortened to Joe for me; but you are on a different Instance than I.
Isn’t it only if you have something configured in display name?
Oh. This makes sense.
Oh yeah good point, I have a displayname configured.
Oh this is interesting. Yours is shortened too.
I host my own instance and it’s just me (because I’m so unlikable I can’t even get my 2 FRIENDS to join my instance. I digress)
I wonder if there’s some setting or ENV variable somewhere on the instance to change that.
Both of you are shortened for me, unlike most others in this comment section. Weird.
If someone sets a display name that is used instead.
Ahh, that makes sense I suppose. Still would be nice to know the home instance at a glance somehow.
Mhm when you hover over a name, it displays the qualified name.
I’ve just been accessing Lemmy on mobile for now, so I don’t guess that feature translates exactly.
Same here on memmy but I can click the username and see the full path, like so:
Oh I just noticed that its under the username always!
Interesting that your client doesn’t show my Display Name (macniel) but instead uses my username (DmMacniel)
I think it’s also shortened if you set a “Display name”
I second this
Third
Hi Dr Zoidberg!
Funnily enough seems everyone is coming at this from the wrong angle personally. I don’t give af who I’m talking to sure, and I can confirm the instance if I must by clicking into their profile.
That said, I more so care about someone pretending to be me in an active thread. Like an active discussion or argument and someone decides to recreate your user on a different instanceand start inserting comments that confuse the discussion.
Or maybe you’ve stopped commenting, then someone else continues the conversation unbeknownst to you in your name.
you’re right, it’s a security issue!
client UIs must make it easy to keep track of who is who.
i think this could be resolved by assigning a color to each user based on a hash. maybe people would try to find collisions there (i.e. specifically find usernames that get the same color as you), but if you do something like
color_index = hmac(user_address, client_nonce) % color_countwhereclient_nonceis unique to each client, it would be impossible to manipulate usernames to get a collision or even a higher chance at it.The full user adress should suffice for the hash, because there is only one hyacinth@feddit.de, for example.
Also, do you really need a hash? Isn’t there a simpler alternative, developing an app?
yeah, the point is that if
hyazinthe@feddit.dehashes to, say, blue, they can try to find a similar-looking username that also hashes to blue, therefore helping with the impersonation. if you hash a client nonce that’s different for everyone, you may hash to blue on my screen but green on yours, and there will be no relation between who hashes to which color on your screen or mine. the impersonator will have no way to guess if their name would match colors on either of our screens, and if we have, say, 25, colors, it will be a static 4% chance no matter what they do.Ah, I understand. But couldn’t you just implement the unpredictable colors, you are trying to achive client-side, without hashing, say random order of colors?
I think it should go on the client, and the hash is pretty much a space saving measure. There are three options, as far as I see it:
- Assign random colors every time a page is rendered. This could get confusing on repeat visits, but it would come with the added perk of ensuring the impostor has a low chance of hitting the same color as the person they’re trying to impersonate every time.
- Assign random colors and save them on the client. This would probably balloon without an LRU data structure, but it could work.
- Use the hash. This basically generates random colors in a predictable way, implementing #2 without having to store anything.
Given that Lemmy does a lot of reloads on navigation I don’t think #1 would work well. The hash is a quick and easy way around the complexities of other implementations.
And yeah, in theory the server could store the client secret, making the colors consistent across all devices of a user, but it has to be non-public info. If it’s public, an impersonator could target a specific person and find a collision that fools them in particular.
Sounds like a good solution. To make the colors less invasive it could only activate once two different users with the same name comment in a single thread.
the problem is you’d need to check for visual similarity, not just the same. spammers and scammers of any kind often take advantage of the full power of unicode to create names that look like the same, but aren’t, and even without unicode you have the issues of I vs l, O vs 0, rn vs m, and so on. if we can figure out a check that the impersonators could actually have a hard time evading that would be nice, but otherwise i don’t really see it.
imo we should make the colors non-invasive by just minimizing their visual impact. painting the entire comment with the assigned color would be intrusive, but i see no issue with just coloring the usernames, in a very discord-like fashion.
Nice visual feedback.
Of course, I’d still want to see the instance with every user and also with every chanel.
Like email. Sure, some clients only show the first name, but somewhere I want to see the full address, can be small, can be hidden in a compact view, but full address is a must.
Bob@family.us is not bob@microsoft.com
www.bank.com is not www.bank.scammer.com
Berlin, Oregon is not Berlin (Germany)
Names are not unique. That’s why we have addresses.
Why would anyone do that?
I’ve never even slightly gave a shit to whoever I’m talking to on Reddit/Lemmy. That’s why I like these platforms, they revolve around the content, not the user. On platforms like Mastodon it’d be a bigger issue, but not so much here because there aren’t noteworthy commenters or posters or whatever.
Yeah, it’s a forum, it should be more like a cafe in terms of anyone talking to anyone, regardless of who that person is.
For big personalities and stuff every time it mattered in reddit, I saw proof that they’re them (ama’s usually)
YET
Identity theft is not a joke, Jim! Millions of families suffer every year!
Thanks for that important caution, actual real life Hollywood actresses Margot Robbie.
What kind of Internet weirdo would want to impersonate me anyways?
Do people generally pay much attention to usernames anyway? One of the things that attracted me to old-school forums, then reddit, and now the feddiverse is the decentralized anonymity. It’s all just voices, and they’re all treated as equal, though you can still look at their histories or profiles and get more context if you want. I like that it’s not front-facing. The ideas come first, and personality is secondary.
On Reddit, it depends on the subreddit. Some of them I don’t care about usernames at all, but on smaller or more specialty/niche subreddits there actually can be a “community” of people who learn about each other
I imagine it can be similar here
Something I can’t seem to figure out is what determines the @instance.whatever to appear after the username. For example, I’m on lem.ee and you are on lemmy.ml, but I see you as theksepyro, not theksepyro@lemmy.ml
Edit: WAIT I’m dumb. Is it just display name? hahah.
That’s what OP is referring to. You could make thekseyro@lem.ee and comment here, you’d both end up showing up as the same person on anyone using an app that doesn’t show the instance in the username.
Fair point.
Yeah, I don’t remember usernames. Everyone might as well be anon. I remember comments more than the username that posted it.
Usually not, but I saw a poppinKREAM on here and based on their post history, they’re not the same person as on Reddit.
Who cares about impersonation? I barely even look at usernames. It’s the thing I liked about Reddit, and now lemmy. The contrary to things like twitter, the who is way less important than the what.
Agree! I don’t think we need to care or that it’s a problem, but it was cool to be able to “page” a celebrity and know they (their publicist) are answering.
Or paging /u/captaindisillusion to end up seeing the post in one of his videos, or realizing the guy who “had you going in the first half” was /u/shittymorph himself.
We can totally do without it though.
It would be a good idea to have some kind of verification protocol that mods or instance admins can use for specific cases like AMAs or ‘expert’ accounts like you mention.
But with AMAs, those are typically one-time use accounts anyway, and the traditional verification of a current photo with a handwritten note in it is simple and sufficient.
Yup, the comment and post is way more important here than some wannabe celeb avatar next to it.
I think it would be nice to expect to see user’s full addresses in ui. You can tap around and find it in the options but that takes an active input. If someone is trying to spoof a well known user it should be readily apparent by their @instance registration.
I’m on liftoff and it displays the domain for everyone unless it matches the domain the post is on. I think this is a good solution. It cuts down some superfluous text while still fully identifying each commenter.
I disagree. That requires me to be cognizant of which community the post was in when I’m half way through the comments. Just consistently always show the full name.
Lemmy has display names.
Two users can have the same name on the same instance, even.
If you need to confirm someone is who they seem to be, the full handle is the only unique aspect.
I was wondering about this. I was surprised to get this name on an active instance. What would the next persons display name be on my instance if they signed up as Artemis?
That’s my point. It requires that other users actually check.
Reddit is bad in the same way. It has supported display names for a while now.
Do the display names actually change how your name appears in posts? I remember trying it some time ago, but it still defaulted to the original username.
That’s what it’s supposed to do. But not all apps respect user set display names. The webUI does, that’s why some users have their full handle displayed, while others don’t. The former are users who did not set their display names to anything.
Thunder used the handles of users without the instance name, at first, but I made github issue requesting it respect display names, since that’s what they are for.
It’s the internet the women are men the men are children and the children are fbi
Social engineering seems like it could be a bigger problem in the fediverse than on traditional social media platforms.
I feel that phishing becomes easier when there’s no single authoritative site to log into, as people may not check the URL as thoroughly. Impersonation also seems problematic.
Like much of the early internet, this new tech seems reliant on trusting the goodwill of others. I’m sure in time we will see the platform evolve to counteract the bad actors.
