this post was submitted on 21 Jun 2023
3 points (80.0% liked)

Lemmy

13645 readers
8 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 5 years ago
MODERATORS
nutomic@lemmy.ml
3
How can federated networks protect their users from impostor accounts? (lemmy.ml)
submitted 2 years ago by itsmikeyd@lemmy.ml to c/lemmy@lemmy.ml
10 comments fedilink hide all child comments
 

I was recently approached by a user claiming to be the developer of Sync for Lemmy who wanted to be a moderator of the community I created, !syncforlemmy.

I was able to verify this user was indeed LJ Dawson as I knew where to contact him on Discord.

It is quite possible that an impostor user on another instance may be created, for example ljdawson@beehaw.org could easily be made.

Should Lemmy have a verified user marker for members who are of importance to any given community? Are there any other options to protect users against nefarious persons playing impostor?

all 11 comments
sorted by: hot top controversial new old
[–] RedCanasta@lemmy.fmhy.ml 4 points 2 years ago (1 children)

Should Lemmy have a verified user marker for members who are of importance to any given community?>

No, everyone is equal here and I want to keep it that way. I don't want this to be twitter.

Are there any other options to protect users against nefarious persons playing impostor?>

You mean besides the one where you just successfully figured out the person was legit through verifying them?

No, it should be up to the community mods to verify someone is legit not the app itself.

[–] itsmikeyd@lemmy.ml 4 points 2 years ago

I respect your position, but I think that as federated services gain popularity, the percentage of users who have the nous to validate any person decreases. Additionally, I can't image users being happy about answering large numbers of validation messages.

[–] SheeEttin@lemmy.world 1 points 2 years ago

No.

Let's say you trust billg@microsoft.com. Anyone can already create billg@scam-site.cn. You wouldn't trust that, why would you trust any other account you can't authenticate?

Like most impersonation questions, the answer is to verify identity through a known trusted source, as you did.

[–] lrabbt@lemmy.world 1 points 2 years ago* (last edited 2 years ago) (1 children)

I like mastodon's solution. That is, validate a public identity, like a site, your site appears on your profile and it's only verified it you have proof inside the site itself.

On this specific case, the Sync team may have their lemmy users on the Sync site.

[–] Izzy@lemmy.world 0 points 2 years ago (1 children)

Nobody else can have the username Izzy@lemmy.world so that is proof enough that I am me within lemmy. If you have some identity outside of lemmy then that identity should be verified outside of lemmy.

[–] Earthwormjim91@lemmy.world 2 points 2 years ago (1 children)

That’s doesn’t mean anything though.

Nobody else can have the username Izzy@lemmy.world but Lemmy.world is only one of hundreds of instances on Lemmy.

I could go right now and make Izzy@ and depending on the client used, nobody would be able to tell the difference if that client doesn’t list the instance as part of the username. For example, both mlem and Memmy on iOS do not show full usernames by default. You just show up as Izzy to me. So Izzy@lemmy.world and Izzy@lemmy.ml would show as the same user to me.

[–] SheeEttin@lemmy.world 1 points 2 years ago (1 children)

That is a deficiency in those implementations, not in the platform itself.

[–] Earthwormjim91@lemmy.world 1 points 2 years ago

Unless the Lemmy devs create their own app, the vast majority of users are going to use third party apps like mlem and Memmy.

So it’s still a problem with the platform if the username databases for instances don’t validate against each other to prevent reuse and impersonation.

[–] PlutoniumAcid@lemmy.world -2 points 2 years ago

A verified user marker? Maybe, like, a blue checkmark?