Author Topic: [Proposal] Protection Against Account Impersonation And Mimicry  (Read 2781 times)

0 Members and 1 Guest are viewing this topic.

Offline gamey

  • Hero Member
  • *****
  • Posts: 2253
    • View Profile
I agree about core functionality being most important but definitely a fun topic.

Faces are great, but different cultures develop different senses for the distinction in faces. 

What I proposed was more like we pick 64 most known leaders.  With goofy hats, hair, poses, etc.  Not just purely a face, but an actual recognizable person in full unique clothing complete with a pose etc.  That sort of thing.  It has same problem as a lot of these fuzzy hash attacks.  (that being searching through plausible hash inputs to find similar picture). 

In my suggestion, perhaps people weigh the background element 50% and the rest of the hash is largely wasted. I have no !@#$#!@ clue without some sort of experiment !   It definitely isn't tested, but I feel it would be an improvement over robo-hashes, but I don't think that means much either.
I speak for myself and only myself.

Offline emski

  • Hero Member
  • *****
  • Posts: 1282
    • View Profile
    • http://lnkd.in/nPbhxG
The human face is the most easily analyzed object to the human mind

Good point! However there are subsets of faces (Asian, Indian, Arabic , Caucasian etc) that may appear identical to person belonging to another group.
Also in my proposal if you have a face as avatar and someone wants to have similar name AND his face as avatar => he will fail. The only way it could happen is if the skin tone is significantly different or the background is of totally different color.

However just showing account id(s) as second level verification might work out pretty well. My proposal is somewhat complex and needs some tweaking before being effective and I'm not sure the developer's time is best spent (at this moment) there. IMHO the easiest/fastest solution that provides "good enough" security should be implemented at first. However at a latter point in time - WE SHOULD HAVE CUSTOM AVATARS !

Another solution similar to CoinHoarder is the following:

Similarity Groups
Assuming account name similarity function is available (as in my proposal).

1 User registers new account "newname".
2 If there is no registered account similar to "newname" => "newname" is assigned a property 1. (This could be just number, or an image or a string, the only requirement is that 1 differs than 2 and both of them differ than 3 and so on)
3 If there is a registered account name similar to "newname" (for example "nevvname") => newname is assigned property 2.
4 If there are more registered similar account => "newname" is assigned property <number of registered similar accounts> + 1

Though this topic is fun to discuss it is not as important at the moment as the core functionality.

Offline CoinHoarder

  • Hero Member
  • *****
  • Posts: 660
  • In Cryptocoins I Trust
    • View Profile
I agree something needs to be done to protect users from alias scamming by making similar aliases to popular services. Although, I don't think adding more robots or changing the avatars is the proper solution.

I suggest adding a random 4 digit number at the end of each alias. Assuming you use 0 through 9, this provides 10,000 different strings of numbers a user could get. Only assign these numbers when a user registers their account, so there would be a huge cost for someone to imitate an alias and receive a similar number after it. By the time someone is lucky enough to generate a similar string to the account they are trying to imitate, the accounts that resemble the account that they are trying to imitate will be taken (ignoring the string).

You could further increase the cost of such alias squatting by increasing the entropy using alphanumeric characters instead of only numbers. I suggested only numbers so the strings are easier to remember, that is why I suggested only using 4 as well.

You could truncate the last 4 characters of the previous block's hash, or use some other method. Obviously this is all arbitrary data... there are other ways you could implement a similar system.
« Last Edit: September 21, 2014, 05:56:20 am by CoinHoarder »
https://www.decentralized.tech/ -> Market Data, Portfolios, Information, Links, Reviews, Forums, Blogs, Etc.
https://www.cryptohun.ch/ -> Tradable Blockchain Asset PvP Card Game

Offline carpet ride

  • Hero Member
  • *****
  • Posts: 544
    • View Profile

I'm only proposing something that is functionally the same as a robohash but where differences become far more apparent to the casual observer due to how the picture is framed in a person's mind.  It becomes a surreal picture of sorts with semantic context.

You may very well be right about the picture comparison if that is a domain of your interest.   I have no clue about the algorithm you just mentioned.  You are right that some "name similarity" threshold could be hit before comparing pictures so that makes it workable.  Personally, I'd like to be able to select my own picture.

The human face is the most easily analyzed object to the human mind
All opinions are my own. Anything said on this forum does not constitute an intent to create a legal obligation between myself and anyone else.
Check out my blog: http://CertainAssets.com
Buy the ticket, take the ride.

Offline joele

  • Sr. Member
  • ****
  • Posts: 467
    • View Profile
What about adding short text message on an account, this text only save in your local db not in the blockchain.

So you can put your own verification message  to an account that is you know the right one.

Offline hadrian

  • Sr. Member
  • ****
  • Posts: 467
    • View Profile
  • BitShares: hadrian


The problem with the robots is all they all look the same except for their colors... Well they look different, but not in ways that we remember as people unless you have a robot fetish.



edit: gamey has a point - bytemaster looks at a glance like bitsapphire , only with a bigger head!
« Last Edit: September 21, 2014, 12:48:35 am by hadrian »
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline gamey

  • Hero Member
  • *****
  • Posts: 2253
    • View Profile

I'm only proposing something that is functionally the same as a robohash but where differences become far more apparent to the casual observer due to how the picture is framed in a person's mind.  It becomes a surreal picture of sorts with semantic context.

You may very well be right about the picture comparison if that is a domain of your interest.   I have no clue about the algorithm you just mentioned.  You are right that some "name similarity" threshold could be hit before comparing pictures so that makes it workable.  Personally, I'd like to be able to select my own picture. 
I speak for myself and only myself.

Offline emski

  • Hero Member
  • *****
  • Posts: 1282
    • View Profile
    • http://lnkd.in/nPbhxG
@gamey
Any system similar to robo-hash including your proposal can be gamed the following way:
Select a set of targets you wish to mimic (account names):
Construct all possible similar names for each target using at least one of the following methods:
1-3 missing letters
1-3 changed letters (change means exchange 1 letter with another one)
1-3 changed letters with homoglyph (or combination of two letters that might be considered homoglyph like "vv" instead of "w" )

From each set of images pick a set most closely resembling the original.
Impersonate.
There is no guarantee that you'll not end up with similar OR identical image.

My proposal could also be gamed to some extent. For example if you consider human image perception you might create an image with similar shapes but completely different colors. This will trick a lot of people (Try to remember each color in google logo, will you notice if I exchange the color of the letters?).

However in my proposal you can add pattern recognition that ignore color and even notification of each similar account.
As this is a concern only for visually similar account names the added average complexity (assuming relatively small images) is minimal. Of course custom avatar AND similar to account name is a luxury so it should be priced accordingly.

I think that free avatar choice should be allowed (maybe not in the near future as there are more important things to do at this time).

Offline emski

  • Hero Member
  • *****
  • Posts: 1282
    • View Profile
    • http://lnkd.in/nPbhxG
Scalability is an issue with large images however avatar images are relatively small.
Image similarity check needs to be done only if your account name is similar to another one.
Account name similarity check is with linear complexity (linear by the length of the account name being checked).

Can you suggest 2 images that will fail the proposed test with the following settings:

4x bilinear downscale
Luminance-preserving Grayscale to 8bpp BW image
Threshold of 30% ( absolute value 77 ).

This will flag a lot of images as similar (even though they are not)  but it should not allow visually similar images.
« Last Edit: September 20, 2014, 11:42:05 am by emski »

Offline gamey

  • Hero Member
  • *****
  • Posts: 2253
    • View Profile
Allowing people to change pictures can be gamed.  It is likely the less cpu intensive algos can be beat to find similar pictures.  Finding "similar" pictures can have many different use cases and the one description in the paper given would not likely cut it. If I was to scale my picture 15% it likely would pass that test as being unique.  I also don't think testing pictures for similarity will ever scale.

The visual hash idea is quite feasible but the robots suck.  THe problem is there is nothing really in our brain to relate the robots to.  To me a red robot is categorized as a red robot.  You need visual hashes that have semantic significance to us.

THink of something like this
------------------------------------
|            Top item                     |
|  L      BACKGROUD           R      |
|  e                                   i       |
|   f       middle                  g      |
|   t                                   ht    |
------------------------------------|

So now we have 5 different elements.  A person on left and right, a background, something in the foreground and something flying up top.

You create a visual hash with all these and now you have a picture with a lot more semantic relevance.

Random hash = Gandhi looking at Clinton with a roulette table in the middle and an Egyptian pyramid in the background with a balloon floating on the top.  YOU WILL REMEMBER THIS to some extent.

It is like trying to remember a foreign name or a name you are familar with.  With foreign name you have to remember the content of the name AND the association.  With a common name all you need to do is remember the association.

With my system above, where the left/right are famous/distinct people as is everything else, it ends up giving a weird little story that people _will_ remember because it has semantic meaning to our brains.

So you could have 64 different people.  That is 6 bits.  Background 5 bits.  The foreground item 7 bits (128 unique items)  Thats 24 bits.  Not sure how many unique hashes people need, but put in another 8 on top and it is 28 bits etc.  You could flip around the people to face other direction and get 2 more bits without a lot of extra artwork , etc.

Anyway, I hope I've conveyed the idea.  whether it is  more professional or not, it couldn't be worse than the robots but i guarantee if would be far more effective at what it is trying to achieve.

The problem with the robots is all they all look the same except for their colors... Well they look different, but not in ways that we remember as people unless you have a robot fetish.
« Last Edit: September 20, 2014, 09:08:06 am by gamey »
I speak for myself and only myself.

Offline emski

  • Hero Member
  • *****
  • Posts: 1282
    • View Profile
    • http://lnkd.in/nPbhxG
Allowing users the option to choose their image results in porn

Increasing the variety of robots would help. 

Confirmation check sums are how I hope to double check. 

Ideally users will get a payment request link and avoid typing all together.

FREEEEEEEDOOOOM!!!!!!

Offline bytemaster

Allowing users the option to choose their image results in porn. 

Increasing the variety of robots would help. 

Confirmation check sums are how I hope to double check. 

Ideally users will get a payment request link and avoid typing all together.
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline emski

  • Hero Member
  • *****
  • Posts: 1282
    • View Profile
    • http://lnkd.in/nPbhxG
I've been thinking about an alternative to robohashes.

I've outlined my idea here:https://docs.google.com/document/d/1-dGHkyXgG649BJaWPnHX5ALMTQubUG5V9JNsB05z7ms/edit?usp=sharing .

One of my projects uses such techniques to detect similar images and similar strings ( to correct for imperfect OCR - tesseract).
I have implemented similar to the proposed features for my project and I'm confident it will work out well for BitsharesX.

It will be cool for anyone to be able to pick customized avatar while we still avoid malicious behavior.

Thoughts?