Pull Request Submitted - Remove reputation protection from downvoted post hiding

in #abuse6 years ago (edited)

Normally when a user's post gets downvoted to a negative r-score, the post is hidden. This is not currently the case if a user's reputation is 65 or above. No matter how many votes a user with reputation 65+ gets, their posts will still get shown.

The idea behind this is that hiding posts was intended to prevent spam/abuse, and users who have earned a 65 reputation are not going to be spamming/abusing. In the rare case where a high rep user goes off the deep-end, the community can downvote them back below 65.

Unfortunately there has recently been a case where 65+ user's account was compromised, and this protection has allowed the malicious user to create posts and comments without fear of being hidden.

Since the protection against getting hidden is creating an exploit for malicious users to take advantage of unsuspecting users, I felt it was best to remove the protection.

I submitted a pull request to remove the protection for 65+ users:

https://github.com/steemit/condenser/pull/1838

If the pull request is accepted, it will mean that any user (regardless of reputation) can have their posts and comments hidden if they are downvoted to a negative r-score.

Sort:  

Tim you do a lot of good work here which is why I feel safe saying this pull request is doing more harm than good.

Downvoting bots on authors with 65+ reputations ruin the spirit of what you are trying to do with this pull request. For example, I have a bot that follows me around and downvotes most every comment I make by the account name of @veryscamfield. See the downvotes at https://steemd.com/@veryscamfield. This is an account created by @berniesanders and @nextgencrypto that automatically downvotes most of my comments.

Fortunately the reputation protection blocks this downvoting bot from hiding any of my comments with its dust vote. Without this protection, one user could make a bot to automatically downvote any and all of our 65+ reputation authors and automatically hide comments on a huge scale. There is no reason any of us should be expected to setup a bot to then autovote our comments back up to counter what already is prevented.

Your pull request means at no reputation level are we free from a dust voting bot hiding our comments and that it should then be our responsibility to auto upvote our own comments or to do it manually to counter this.

Would you please remove this pull request because it is opening a bigger opportunity for exploitation than the one it hopes to close?

There are pros and cons to the change. I am not dead set on it being made, but I lean more towards the pros outweighing the cons. Ultimately it will be up to Steemit, Inc. whether it is accepted or rejected.

A few questions:

  • It seems like the problem you described is also there for accounts with reputation < 65. It is probably a bad word to use to describe it, but why should level 65 users be exempt from this?
  • Can't it be countered by an auto-upvote bot? We've done this before when accounts like @asshole were randomly flagging tons of users.

Yes the problem is there for accounts less than 65 reputation which is good to catch users that are truly posting spam or comments that should be hidden. For users that are established in the community with over 65 reputation, no amount of downvotes should completely hide a comment because this user has proven themselves to our community a lot to get to 65. If that changes, repeated downvotes will eventually lower the reputation to below 65 and hide comments again.

We want to keep user protections available to authors contributing the most here especially when it comes to preventing abuse from bots. What we have in place with the 65 reputation limit for hiding posts is good because it provides that. There are almost no benefits to removing this protection while a huge annoyance is opened up to anyone over 65 being able to have comments hidden with even a dust downvote.

With the current system, having a downvote bot on someone over 65 is fairly pointless which is good because if someone has given enough here to earn a 65 reputation they should not be subject to having comments hidden by one dust bot autovote and expected to setup a bot or vote manually on their own comments to prevent this.

Authors with 65+ reputations are also more likely to be targeted than a user under 65 reputation simple due to popularity. As with me, more followers = more haters regardless of what I post. Should one account that has never posted or powered up any Steem be able to automatically hide all of your comments or mine? Absolutely not.

If this change goes through, one person would be able to automatically hide every author over 65's comments without having to buy any Steem power. That is a con that outweighs any pro for this change.

I see your concern and I don't disagree, but IMO users getting their accounts stolen through phishing is a bigger issue, even if it doesn't happen very often.

Another 66 reputation account was a victim of the recent phishing attack. Now there are 2 accounts that can post phishing links with little or no resistance. I've seen it take 2 - 15 days to recover an account. How fast can this spread if it is left unchecked.

While I agree this has pros and cons, unless you have another suggestion to stop the spread then I see this as a good temporary measure that could be reversed.

Why would a legitimate 65+ user automatically assume that a countering autovoting bot is needed? That's a bit confusing.

Tim's excellent idea would prevent misuse of stolen accounts and other malicious acts that can negatively impact Steemit.

Misuse of accounts and abuse from over 65 reputation is not that common whereas one person with a downvoting bot could hide every single comment by default on every 65+ reputation user if this update went through. After having a downvoting bot put on me, I see the need for anyone 65+ reputation to avoid having comments hidden by a bot.

I do see it from your perspective but, unsure if you're aware, a second 65+ account was just phished. What would happen if it's your account that's compromised and your reputation is on the line? One wrong click is all it takes man.

I don't see the difference between an account having rep 65+ and account having a rep lower than 65, hence I don't understand you are against removing the strange behaviour of Steemit. A more elaborative comment you can find here: https://steemit.com/abuse/@timcliff/pull-request-submitted-remove-reputation-protection-from-downvoted-post-hiding#@edje/re-timcliff-pull-request-submitted-remove-reputation-protection-from-downvoted-post-hiding-20171024t145903700z

Why protect 65+? Why don't protect 60+? Why don't protect 50+ or even 25+?

Another 66 reputation account was a victim of the recent phishing attack. Now there are 2 accounts that can post phishing links with little or no resistance. I've seen it take 2 - 15 days to recover an account. How fast can this spread if it is left unchecked.

While I agree this has pros and cons, unless you have another suggestion to stop the spread then I see this as a good temporary measure that could be reversed.

Okay... we see one instance where a 65+ user account is misused.

Can we list out the possible negatives or exploits that could be had if the Pull request goes through?

  • does it allow whale battles to go differently? (not that whale battles are ever good...but they do happen)
  • ??

Not sure on this one. But don't mind the discussion.

Just think changes shouldn't be made for one event....usually.

thanks

I think it makes sense to do this. A legit user shouldn't have to worry about having this protection in place. Why even have an exclusion for the higher reputation users. They wouldn't be impacted if they carried on as usual. It's no different than allowing special exceptions for those in charge that the little people have to comply to. I say equality for all, @timcliff. Good call.

I agree with you totally @mitneb.
If whales want to attack each others, they should not be immune just because they are whales.

Removing the protection only makes people aware they can't abuse the system just because they have higher reputation and they are privileged.

Thank you @timcliff for suggesting this

Not sure about this, while there's the corner case of a 65+ Rep account being compromised, flag attacks are far more common on the Steem network. I believe there should be some protection for high Rep authors against bad actors. Imagine if you (or any high Rep author) make a comment, and some people (not even a whale) downvotes it baselessly - I wouldn't want it to be hidden.

Of course, the real issue here is that the Reputation system is dysfunctional and needs a complete overhaul. I'm sure that's in the pipeline somewhere for Hivemind's future releases, but probably a long time away. I have also suggested a decentralized judiciary system several times before. Clearly Dan seems to have learned from his mistakes with Steem and working on implementing one in EOS.

Valid points. As far as high rep users being downvoted, it could in theory be countered with an anti-abuse bot. Also, I would assume that they would have enough SP to counter it themselves if they wanted to (at least in most cases).

I'm not 100% set on the change though, and I think it is a good thing to discuss. Ultimately it will be up to Steemit as to whether or not they accept the PR.

No small fish dares to downvote a whale needlessly or without basis. Don't forget whales have the SP at their side.
The only case that High rep people would be affected is if another high rep or high SP downvoted them. In that case, I would like to think that these downvotes are not baseless!

Thank you for sharing and discussing.

I could agree with some protection to higher rep users, however I don't agree this marker shall be at 65+. I see high rep accounts abusing Steemit since the moment they were able to do so, eg having high rep and since HF19 removed many of the anti abusive protection already (eg the removal of limited number of post per day).

I fully agree the Rep system is not correctly implemented. The current Rep system allows users with high Rep to abuse the system without their Rep being effected when receiving downvotes. Also the power required the Rep is for higher Rep users to high, allowing high(er) rep users to abuse the platform for a longer period of time.

Recently I was flag attacked by @firepower a reputation 69 account and his @s4s, an account with 170k+ delegated SP. @firepower even banned me and other users who support me from steemit.chat just because I reveal the fact that he used a comment bot to spam Steemit.

Normally high reputation users have more powerful friends to help them. And low reputation users are helpless when they are treated unfairly.

This kind of protection is not fair. Why don't protect accounts with 60+ or 50+?

Hmmm. I dunno. I guess commandeering 65+ accounts would have to be a prevalent thing. I don't think it is. At least, not to the degree this pull request would be necessary.

Appreciate the input. The PR has not been accepted yet, so discussion (from both sides) is good.

I definitely feel this is a good idea. The biggest issue when it comes to anytime of cyber security is human beings and the trust we give to others.

This would be esepcially prevelent if the user has a very high reputation. With high reputation usually comes more trust. I think it is definitely necessary to be able to hide comments regardless of their level.

Why is there a need for this protection if the 65+ rep trust is inherent. Obviously, if the post garnered enough downvotes to hide the post, that person broke that trust and deserves to have a post hidden.

Just my thoughts.

I don't think rep protection is necessary anyway. Just because it went up doesn't mean you can't lose it.

Good PR @timmcliff. Regardless of your reputation, a bad post (or spam post) should be held in equal regard. If it gets sufficient flags, there is most likely an obvious reason, and so the protection on 65+ rep accounts should not be there. Most 65+ accounts won't need to worry about this, but it makes everyone equally accountable not to abuse the system.

A very good argument. I too believe that all users of the platform should be held to the same standards. Posts should be up or downvoted based on their individual merit and not on whichever reputation score a member has achieved. Greater transparency will greatly reduce the tendency to abuse the platform and facilitate a higher degree of civility.

I think that is a good idea to remove reputation protection. Remove reputation of protection is preventing "abuse of power" conduct. Nice and good idea :)

Coin Marketplace

STEEM 0.36
TRX 0.12
JST 0.040
BTC 70846.59
ETH 3567.69
USDT 1.00
SBD 4.79