mod_virgule Attack Resistance

lkcl and redi have commented on the ongoing trust metric attack on mod_virgule sites, noting the effects on Advogato. The same thing is happening to other mod_virgule sites including and ghostscript. I emailed Raph a warning about this activity in May when I first noticed the use of automated programs creating large numbers of identical accounts on the three sites. I don’t want to link to any examples directly but try googling on “dltxprt” or manually typing in the user URL to see an example user on all three of the mentioned sites. I’ve been tracking IPs and the account names on so I can kill them all off if needed but so far the trust metric has resisted the attack effectively.

The spammer is using the notes field of each account for search engine link spamming but otherwise isn’t causing much immediate harm other than resource abuse. I have working code to delete mod_virgule accounts but I’m still pondering how best to use it to remove the evil doers in this case.

The blog spam seems limited to Advogato for some reason. If it starts on, I think my solution will be to remove the A tag from the list of tags that can be used by observers. I don’t want to remove the ability of observers to post blog entries, as lkcl suggested, because that’s the only way we find out enough about some new users to decide whether they should receive a higher trust ranking.

One interesting thing to note is that almost all of the spammer’s accounts certify each other, creating what Google refers to as a “bad neighborhood” in webpage trust rank terminology. If you have a legitimate webpage and link to a “bad neighborhood” it can adversely affect your own page’s rank. It might be wise to implement something similar in mod_virgule. If a legitimate, trusted user certifies an untrusted user in a “bad neighborhood”, maybe it should result in decrementing the trust of the legitimate user rather than increasing the trust of the bogus user? Just a thought.

Trust Metrics from the 17th Century

Last time I was re-reading Heinlein’s, The Moon is a Harsh Mistress, I was struct by the possible applications of the rebel’s cell organization to the sorts of trust metric systems being played with these days. Then, a few days ago, I ran across a web log entry noting similarities between mod_virgule’s trust metrics and those used by a 17th century social network of Dove breeders – right down to a trust metric attack – “The Count of Villechy, in 1889, was expelled from the club for posing as two breeders in an attempt to boost his ranking”. The Count’s plot failed because of the hand-calculated trust metrics used by the network. Wow, talk about prior art! It’s easy to fall into the trap of thinking we’ve invented something new when it’s been done many times before. I wonder if anyone has put together a definitive history of trust metrics?

Turtles, Perl Monks, and Fidonet

Susan and I spent the afternoon at Fair Park the other day and shot a lot of photos of turtles. Susan got creative and scanned one of the pictures and wrote a short essay about turtles.

Someone on Advogato mentioned a new Perl site called Perl Monks. They have a much more elaborate trust/skill metric system than Advogato. I’m an Initiate (everyone starts out at this level and gains points through peer recognition over time). There are ten levels with amusing titles like acolyte, friar, pontiff, and eventually saint.

I got several replies from other old fidonet folks after my last news item, so there do appear to be others out there who remember the good ol’ days.

I ran across an interesting news story on Yahoo. Seems some French scientists have successfully used gene therapy to restore normal functioning of the immune system in two boys suffering from SCID (the disorder forces them to live in a sealed environment because they have no resistance to infection). The doctors made the gene modification by extracting bone marrow, inserting the missing genes, and then replacing the bone marrow in the body. Pretty cool.

Three Reptiles and a Gato

The weather has improved a bit here in TX. Now that the spring rains seem to have stopped, Susan and I have been able to resume our habitual late-night walks. The neighborhood wildlife count for last nights walk: three reptiles. A sleeping green anole in a tree, a mediterranean gecko out for a nocturnal snack, and a small rough earth snake that had been lying on the sidewalk to catch the last of the evening heat and must have gone to sleep. We woke it up and it slithered away into the grass.

Meanwhile, online, Advogato was host to a lengthy debate that started out being about what sort of community certification metrics were best and ended up being a flame war about politically correct labels for the certification levels. I posted my two cents on the certiciation issue. The end result? It looks like Advogato will stick with the existing certification system for now. And I got two more certifications – one Journeyor and one apprentice – apparently from people who read my article. Duff, one of the users who gave me a cert posted his reasons in his diary. This was kind of cool as it’s the first time I’ve actually known what motivated someone to certify me. (thanks duff!). My own certification system is that I only give certifications to people I know well (there aren’t any on advogato yet), people who have a well known reputation (like alan or miquel), and people who certify me, if there is enough information on their advogato page to make an educated guess at their level (like flaggz or kelly).

I noticed that ALSA 0.5.7 is out today. This should have the MIDI patches as well as a few other bug fixes. It will probably be late next week before I get a chance to try it out.

Advogato First Post

Assuming my patches to newslog and to mod_virgule work, this will be my first post to go to both my home page and to my diary simultaneously. If nothing blows up, I’ll probably post a freshmeat announcement later tonight in case anyone else wants to sync up news/diary entries on their personal home pages to their diary.

Discovering Advogato

I’ve been reading an open source news portal called Advogato fairly regularly and decided to sign up for an account. I’m usually just a spectator at these things – I don’t even have a slashdot account. But Advogato is fairly interesting in that it uses a group trust metric system to rate each member and assign privileges such as news posting. The theory is that this will make for a better signal to noise ratio and avoid slashdot-type posts about hot grits and Natalie Portman. Anyway, as a side effect, I’ve been working on a new version of newslog that will be able to post these news entries to my diary on advogato as well as here.