Yes, of course, but if we start to talk in these terms, the first in line is the standard question: What is your threat model?
I also don’t think there’s a good solution to sockpuppetry short of mandatory biometrics.
But the existing reputation systems don’t let you make that trade-off
Why not? The trade-off is in the details of how much reputation matters. There is a large space between reputation being just a number that’s not used anywhere and reputation determining what, how, and when can you post.
very vulnerable to attack
Attack? Again, threat model, please.
“Bad” posters are tautologically a disincentive for most users
Not if you can trivially easy block/ignore them which is the case for Twitter and FB.
An attacker creates a large number of nodes and overwhelms any signal in the initial system.
For the specific example of a reddit-based forum, it’s trivial for an attacker to make up a sizable proportion of assigned reputation points through the use of sockpuppets. It is only moderately difficult for an attacker to automate the time-consuming portions of this process.
I also don’t think there’s a good solution to sockpuppetry short of mandatory biometrics.
10% of the problem is hard. That does not explain the small amount of work done on the other 90%. The vast majority of sockpuppets aren’t that complicated: most don’t use VPNs or anonymizers, most don’t use large stylistic variation, and many even use the same browser from one persona to the next. It’s also common for a sockpuppets to have certain network attributes in common with their original persona. Full authorship analysis has both structural (primarily training bias) and pragmatic (CPU time) limitations that would make it unfeasible for large forums...
But there are a number of fairly simple steps to fight sockpuppets that computers handle better than humans, and yet still require often-unpleasant manual work to check.
Why not? The trade-off is in the details of how much reputation matters. There is a large space between reputation being just a number that’s not used anywhere and reputation determining what, how, and when can you post.
Yes, but there aren’t open-source systems that exist and have documentation which do these things beyond the most basic level. At most, there are simple reputation systems where a small amount has an impact on site functionality, such as this site. But Reddit’s codebase does not allow upvotes to be limited or weighed based on the age of account, does not have , and would require pretty significant work to change any of these attributes. (The main site at least acts against some of the more overt mass-downvoting by acting against downvotes applied to the profile page, but this doesn’t seem present here?)
Not if you can trivially easy block/ignore them which is the case for Twitter and FB.
If a large enough percentage of outside user content is “bad”, users begin to treat that space as advertising and ignore it. Many forums also don’t make it easy to block users (see : here), and almost none handle blocking even the most overt of sockpuppets well.
An attacker creates a large number of nodes and overwhelms any signal in the initial system.
For the specific example of a reddit-based forum, it’s trivial for an attacker to make up a sizable proportion of assigned reputation points through the use of sockpuppets. It is only moderately difficult for an attacker to automate the time-consuming portions of this process.
You seem to want to build a massive sledgehammer-wielding mech to solve the problem of fruit flies on a banana.
So the attacker expends a not inconsiderable amount of effort to build his sockpuppet army and achieves sky-high karma on a forum. And..? It’s not like you can sell karma or even gain respect for your posts from other than newbies. What would be the point?
Not to mention that there is a lot of empirical evidence out there—formal reputation systems on forums go back at least as far as early Slashdot and y’know? they kinda work. They don’t achieve anything spectacular, but they also tend not have massive failure modes. Once the sockpuppet general gains the attention of an admin or at least a moderator, his army is useless.
You want to write a library which will attempt to identify sockpuppets through some kind of multifactor analysis? Sure, that would be a nice thing to have—as long as it’s reasonable about things. One of the problems with automated defense mechanisms is that they can be often used as DOS tools if the admin is not careful.
If a large enough percentage of outside user content is “bad”
That still actually is the case for Twitter and FB.
Yes, of course, but if we start to talk in these terms, the first in line is the standard question: What is your threat model?
I also don’t think there’s a good solution to sockpuppetry short of mandatory biometrics.
Why not? The trade-off is in the details of how much reputation matters. There is a large space between reputation being just a number that’s not used anywhere and reputation determining what, how, and when can you post.
Attack? Again, threat model, please.
Not if you can trivially easy block/ignore them which is the case for Twitter and FB.
An attacker creates a large number of nodes and overwhelms any signal in the initial system.
For the specific example of a reddit-based forum, it’s trivial for an attacker to make up a sizable proportion of assigned reputation points through the use of sockpuppets. It is only moderately difficult for an attacker to automate the time-consuming portions of this process.
10% of the problem is hard. That does not explain the small amount of work done on the other 90%. The vast majority of sockpuppets aren’t that complicated: most don’t use VPNs or anonymizers, most don’t use large stylistic variation, and many even use the same browser from one persona to the next. It’s also common for a sockpuppets to have certain network attributes in common with their original persona. Full authorship analysis has both structural (primarily training bias) and pragmatic (CPU time) limitations that would make it unfeasible for large forums...
But there are a number of fairly simple steps to fight sockpuppets that computers handle better than humans, and yet still require often-unpleasant manual work to check.
Yes, but there aren’t open-source systems that exist and have documentation which do these things beyond the most basic level. At most, there are simple reputation systems where a small amount has an impact on site functionality, such as this site. But Reddit’s codebase does not allow upvotes to be limited or weighed based on the age of account, does not have , and would require pretty significant work to change any of these attributes. (The main site at least acts against some of the more overt mass-downvoting by acting against downvotes applied to the profile page, but this doesn’t seem present here?)
If a large enough percentage of outside user content is “bad”, users begin to treat that space as advertising and ignore it. Many forums also don’t make it easy to block users (see : here), and almost none handle blocking even the most overt of sockpuppets well.
Limit the ability of low karma users to upvote.
You seem to want to build a massive sledgehammer-wielding mech to solve the problem of fruit flies on a banana.
So the attacker expends a not inconsiderable amount of effort to build his sockpuppet army and achieves sky-high karma on a forum. And..? It’s not like you can sell karma or even gain respect for your posts from other than newbies. What would be the point?
Not to mention that there is a lot of empirical evidence out there—formal reputation systems on forums go back at least as far as early Slashdot and y’know? they kinda work. They don’t achieve anything spectacular, but they also tend not have massive failure modes. Once the sockpuppet general gains the attention of an admin or at least a moderator, his army is useless.
You want to write a library which will attempt to identify sockpuppets through some kind of multifactor analysis? Sure, that would be a nice thing to have—as long as it’s reasonable about things. One of the problems with automated defense mechanisms is that they can be often used as DOS tools if the admin is not careful.
That still actually is the case for Twitter and FB.