Voting Security Discussion

Author: David

Posts

Archived
Read-only
Total: 122
David
David's avatar
Debates: 92
Posts: 1,218
4
7
10
David's avatar
David
4
7
10
Greetings!

This past week there was a nasty breach in voting integrity. The debate in question is here. At the last second, four votes came in. Two votes were voted bombs for Pro and two were counter-bombs for con. Needless to say, the moderator team is doing the best they can to get to the bottom of what happened and who is responsible. Here's what we definitely know so far:

(1) Entropy/Neg Entrop are the same people
(2) vave/veze are the same people

There is no IP match between the two so we are certain that there are two people at play. If you have any information on what happened, please let the administrative team know immediately. 

That being said, Mike and I have had a long conversation today. What we are thinking of is adding a few measures to ensure that new accounts can't be made to simply vote and leave. Here's what we are considering:

(1) Require 3 debates that have at least 3 rounds, are not forfeited, and are not troll debates; OR
(2) Require at least 500 quality forum posts; OR
(3) Prove to the moderator team that you understand the voting process by giving us three quality RFDs plus 200 forum posts 

I would also love to hear your thoughts on how to ensure the integrity of the voting process. 

Another point to make, we are considering adding the following:
(1) The ability for the moderator team to view full email addresses (currently the moderator team is not able to view email addresses); and 
(2) The ability to view the entire IP address for accounts

Any other feedback and suggestions would be appreciated.  

RationalMadman
RationalMadman's avatar
Debates: 574
Posts: 19,931
10
11
11
RationalMadman's avatar
RationalMadman
10
11
11
Seeing emails won't help you. You already can see all of that and lie to us but if you are honest with yourself, you'd know it wouldn't help you at all.

MagicAintReal has a paid VPN service, the clue is in the ISP, not the formatting of the IP numbers themselves. The ISP will be something unlike Sky, Virgin or Comcast, that when you Google the company it appears normal people can't hire it, only corporations can. Then if this is the case, he/she is either using a public library, their workplace internal internet service (some places have that if it's a highly secure company) or they are basically screwing around with you and have a VPN.

The issue will come that users who wish to remain anonymous end up associated with wrongdoers if they share the same VPN service with a malignant troll. That is the price you pay for anonymity. In short, if they share VPN but willingly reveal the 'real' IP from time to time and communicate with you, THAT is how you split people up.

If siblings or such want to use the site and convince you they're different people, that should be the only time this system can fail, but that's a given.
RationalMadman
RationalMadman's avatar
Debates: 574
Posts: 19,931
10
11
11
RationalMadman's avatar
RationalMadman
10
11
11
The clue is also in the devices being the same, but it appears his is so good it even blocks that out. Is he 'using Firefox'? This may mean he's not actually using Firefox, but Tor with Firefox-skin.
RationalMadman
RationalMadman's avatar
Debates: 574
Posts: 19,931
10
11
11
RationalMadman's avatar
RationalMadman
10
11
11
PM me for more info, I know how Anonymous was caught among alot of other things, these scum are culpable to slip-ups, they overestimate themselves frequently.
oromagi
oromagi's avatar
Debates: 117
Posts: 8,696
8
10
11
oromagi's avatar
oromagi
8
10
11
The blatancy of votes is odd- not likely somebody who hoped to alter the outcome so much as testing the fences.

The most obvious con is that we get few enough voters already without new restrictions.  I sort of enjoyed voting on a debate before debating.

On the other hand, building a membership of voters improves the value and accountability of invested voters. 

On the other stuff, I'm generally opposed to any decrease in privacy.

Vader
Vader's avatar
Debates: 30
Posts: 14,984
5
8
11
Vader's avatar
Vader
5
8
11
-->
@David
(1) Require 3 debates that have at least 3 rounds, are not forfeited, and are not troll debates; OR
I don't like this one. A debate takes countless hours and days to do something, and people do not have the ability to continuosly debate for that long. Some people have lives. A vote would require at most 1 hour, but a debate drags on for 10 days at least with lengthy arguments. I believe comparing debates to votes is a bad analogy
(2) Require at least 500 quality forum posts; OR
Define quality
(3) Prove to the moderator team that you understand the voting process by giving us three quality RFDs plus 200 forum posts 
This is the best option here. It shows a clear understanding of a debate and a full comprehension of what is going on in the debate. This definetly is the best option. It is an actual vote and it must have some time experience in order to level a vote. This should be instated.
(1) The ability for the moderator team to view full email addresses (currently the moderator team is not able to view email addresses); and 
(2) The ability to view the entire IP address for accounts
No offense to any of y'all, but I don't trust random internet people, even if they are moderators of some sort. Especially if the site isn't "verified". This means if a mod is hacked or info of the site is breached, (which could be common due to foreignness of bsh and Mike) all my info is out there for the world to see. And what if the mod is some sort of pedo trying to get into my account(not saying you would be). I just am not comfy with that idea, especially for teens on the site

I'd prefer email if it had to come down to that. A new email address could be made
RationalMadman
RationalMadman's avatar
Debates: 574
Posts: 19,931
10
11
11
RationalMadman's avatar
RationalMadman
10
11
11
-->
@David
I think the 3+1 method I suggested in pm is the best to go for. yes all three must qualify as non-troll if the 3 in your 4 is 'debate'.
RationalMadman
RationalMadman's avatar
Debates: 574
Posts: 19,931
10
11
11
RationalMadman's avatar
RationalMadman
10
11
11
there should always remain exceptions such as castin and outplayz who get to vote with being forum-mains. Exceptions being greenlighted should be a side-avenue to get voting rights.
RationalMadman
RationalMadman's avatar
Debates: 574
Posts: 19,931
10
11
11
RationalMadman's avatar
RationalMadman
10
11
11
-->
@David
Don't enact this retroactively though. Users who've proven themselves shouldn't have to 'pass'. It's not unfair, it's rewarding loyalty.
Barney
Barney's avatar
Debates: 53
Posts: 3,465
5
9
10
Barney's avatar
Barney
5
9
10
I suggest a multiple choice test to enable voting privileges. This could use an extremely short fake debate, to highlight certain rules...

While more complex, the types of voting could be separated. Such as argument point only debates (or even just argument point only votes), requiring lower standard than categorical voting.
Castin
Castin's avatar
Debates: 0
Posts: 2,266
3
2
7
Castin's avatar
Castin
3
2
7
-->
@David
(1) Require 3 debates that have at least 3 rounds, are not forfeited, and are not troll debates
So users who like to vote but not debate would effectively be purged from the voting pool with this option?

David
David's avatar
Debates: 92
Posts: 1,218
4
7
10
David's avatar
David
4
7
10
-->
@Castin
It's possible, which is why we might be able to do a combination of what I propose 
Vader
Vader's avatar
Debates: 30
Posts: 14,984
5
8
11
Vader's avatar
Vader
5
8
11
i dont like the idea of a random stranger on an un official website looking @ my ip
bsh1
bsh1's avatar
Debates: 14
Posts: 2,589
5
5
8
bsh1's avatar
bsh1
5
5
8
I think a simpler solution would be to do what DDO does with cell phones and manual confirmations.
David
David's avatar
Debates: 92
Posts: 1,218
4
7
10
David's avatar
David
4
7
10
-->
@bsh1
cell phones are a bit tricky because they're expensive and easy to get around 
bsh1
bsh1's avatar
Debates: 14
Posts: 2,589
5
5
8
bsh1's avatar
bsh1
5
5
8
-->
@David
See, I am just not technical, but what about 2 factor confirmation?
David
David's avatar
Debates: 92
Posts: 1,218
4
7
10
David's avatar
David
4
7
10
-->
@bsh1
2 factor confirmation is more of a extra security for logging in. I think it's super helpful for the admins to require 2FA, but I dont think it'll solve the problem. 

bsh1
bsh1's avatar
Debates: 14
Posts: 2,589
5
5
8
bsh1's avatar
bsh1
5
5
8
-->
@David
Fair enough. This will need to be MEEP'd at some point. Let's discuss it more, and we can MEEP it next week.
David
David's avatar
Debates: 92
Posts: 1,218
4
7
10
David's avatar
David
4
7
10
-->
@bsh1
Yeah - this is just a discussion of what it should look like. We should take what we gleen from this and put it up for a MEEPs

Ramshutu
Ramshutu's avatar
Debates: 43
Posts: 2,768
6
9
10
Ramshutu's avatar
Ramshutu
6
9
10
The main issue is here, is anyone can start up an account today, and immediately post a vote on their own debate, and it’s near impossible to definitively prove that you’re doing it.

In addition, there are at least two accounts has that are almost certainly sock puppets that have posted multiple votes and affected the outcome of at least one debate - a conclusion based on highly suspicious activity profiles, voting patterns, and specific give aways that I don’t want mention at this time.

I don’t think you can really stop anyone hell bent on creating a voting account, but in my view, an individual user needs to have sufficient activity on the forum, debates, or in general in order to vote. The requirements should be set to a high enough level that few people would be willing go to such lengths to pretend to be an active user in order to vote.

I think all the limits virt mentioned are valid as a “any one of 3” case: IE, if you have any one of the three criteria you can vote.

I do also think there is an additional minimum of at least 2 weeks before someone can vote on a debate.


Vader
Vader's avatar
Debates: 30
Posts: 14,984
5
8
11
Vader's avatar
Vader
5
8
11
-->
@Ramshutu
A combo of 350+ forum posts and a test RFD would be very idle
Ramshutu
Ramshutu's avatar
Debates: 43
Posts: 2,768
6
9
10
Ramshutu's avatar
Ramshutu
6
9
10
-->
@Vader
Did you mean ideal?

I don’t think a test RFD is necessary, we have mods to remove bad votes, and hopefully when enough votes are bad enough, people will have their voting rights taken away (this is already in the CoC)

The main examples of suspicious behaviour patterns, are new sign ups not participating in the debates or forums, logging in, voting then disappearing for long stretches of time, then appearing again with minimal other activity, voting, then disappearing.

There’s no legit voters I’m aware of that would be obviously prevented from voting imo with these.
Vader
Vader's avatar
Debates: 30
Posts: 14,984
5
8
11
Vader's avatar
Vader
5
8
11
-->
@Ramshutu
Yea I meant that
Vader
Vader's avatar
Debates: 30
Posts: 14,984
5
8
11
Vader's avatar
Vader
5
8
11

I don’t think a test RFD is necessary, we have mods to remove bad votes, and hopefully when enough votes are bad enough, people will have their voting rights taken away (this is already in the CoC)
This clearly isn't sufficient enough when you look at the scenario. There needs to be a way to fully prevent something like this again. A test RFD can solve for this. Plus it will have a legit effect when you add forum. It will boost site activity
The main examples of suspicious behaviour patterns, are new sign ups not participating in the debates or forums, logging in, voting then disappearing for long stretches of time, then appearing again with minimal other activity, voting, then disappearing.
That isn't always obvious
There’s no legit voters I’m aware of that would be obviously prevented from voting imo with these.
It depends
DebateArt.com
DebateArt.com's avatar
Debates: 0
Posts: 1,403
3
3
8
DebateArt.com's avatar
DebateArt.com
3
3
8
-->
@bsh1
I think a simpler solution would be to do what DDO does with cell phones and manual confirmations.
I am afraid that's just beyond expensive, the prices are insane.

DebateArt.com
DebateArt.com's avatar
Debates: 0
Posts: 1,403
3
3
8
DebateArt.com's avatar
DebateArt.com
3
3
8
-->
@Vader
No offense to any of y'all, but I don't trust random internet people, even if they are moderators of some sort. Especially if the site isn't "verified". This means if a mod is hacked or info of the site is breached, (which could be common due to foreignness of bsh and Mike) all my info is out there for the world to see. And what if the mod is some sort of pedo trying to get into my account(not saying you would be). I just am not comfy with that idea, especially for teens on the site

I'd prefer email if it had to come down to that. A new email address could be made
Yeah, that's a very fair point.
DebateArt.com
DebateArt.com's avatar
Debates: 0
Posts: 1,403
3
3
8
DebateArt.com's avatar
DebateArt.com
3
3
8
-->
@David
2 factor confirmation is more of a extra security for logging in. I think it's super helpful for the admins to require 2FA, but I dont think it'll solve the problem. 
Good point, I also thought about, 2FA for the mods would be a great thing to have.
David
David's avatar
Debates: 92
Posts: 1,218
4
7
10
David's avatar
David
4
7
10
Update 

Mike and I have had a very long conversation and did a long investigation. Our results show that Magic attempted to cheat by using the DebateVoter account. We also proved that he attempted to cheat by voting for himself at the last minute in his debates with death23. Needless to say they are all permanently banned. 

Many thanks to Ramshutu, RM, and death23 for some awesome scum hunting! 

The mod team apologizes to those who had their debates messed up by these cheaters. Mike will hopefully be adding the ability to remove votes after the voting period to add to the voting integrity. 

Thank you. 

Virtuoso 
Deputy Moderator 

RationalMadman
RationalMadman's avatar
Debates: 574
Posts: 19,931
10
11
11
RationalMadman's avatar
RationalMadman
10
11
11
-->
@David
You are literally the most enthusiastic and genuine mod I've met in the entire Internet. Fucking love how open you are to communication and appreciation.
Vader
Vader's avatar
Debates: 30
Posts: 14,984
5
8
11
Vader's avatar
Vader
5
8
11
-->
@David

So magic is perma banned