Effectiveness of checkuser Options

[Peter Damian]

I'm working on a document that is a detailed and point by point comment on WMUK's submission to the charity commission, July and September 2011. Note this is not public yet, as 'dogbiscuit' got access to a copy privately via FOI. The document (which I strongly believe was written by our friend 'Fae') contains many misleading or downright inaccurate claims.

Section 13.3.8 of the submission says ""There is also “CheckUser” software that enables a small number of selected and vetted volunteers to establish, in many cases, whether two editors are from the same ISP, and often where that ISP is located. This information is mostly used to detect blocked editors who try to return under a different account name. "

My experience of checkuser is that it is almost completely ineffective as a control over determined, intelligent users, and that evaders are usually caught out by stupidity or carelessness, rather than by the software itself. Examples are the easily availability of dynamic IPs (such as my own service provider, who kindly change my IP daily), the availability of 'hot spots' (public wifi networks), internet cafes, use of proxies.

Any other ideas to contribute to this section? I would be particularly interested in narratives or stories from experienced evaders.

As always, my email is edward at logicmuseum.com.

This post has been edited by Peter Damian:

[thekohser]

It sounds like you've about got it covered, honestly.

You might want to add that CheckUser produces many false positives (when a dynamic IP happens to get assigned to another customer of your same ISP, or when a public wi-fi node is used by different Wikipedians). And (in WP's defense), the CheckUser also produces "user agent info" that can help to very clearly confirm that the same computer hardware is being used by multiple accounts.

[Peter Damian]

It sounds like you've about got it covered, honestly.

You might want to add that CheckUser produces many false positives (when a dynamic IP happens to get assigned to another customer of your same ISP, or when a public wi-fi node is used by different Wikipedians). And (in WP's defense), the CheckUser also produces "user agent info" that can help to very clearly confirm that the same computer hardware is being used by multiple accounts.

Thanks ! I've also mentioned that the user agent info (as far as I know) is a javascript add-on that is easily disabled. Anyone know about this?

I also need to add that dynamic IPs can sometimes be disabled using 'range blocks', but that this means thousands or tens of thousands of other users are also prevented from using Wikipedia effectively.

This post has been edited by Peter Damian:

[melloden]

It sounds like you've about got it covered, honestly.

You might want to add that CheckUser produces many false positives (when a dynamic IP happens to get assigned to another customer of your same ISP, or when a public wi-fi node is used by different Wikipedians). And (in WP's defense), the CheckUser also produces "user agent info" that can help to very clearly confirm that the same computer hardware is being used by multiple accounts.

Thanks ! I've also mentioned that the user agent info (as far as I know) is a javascript add-on that is easily disabled. Anyone know about this?

I also need to add that dynamic IPs can sometimes be disabled using 'range blocks', but that this means thousands or tens of thousands of other users are also prevented from using Wikipedia effectively.

I believe there is a Firefox add-on called user agent switcher. I haven't tested whether it can fool checkuser, but I will do that sometime. Also, I think the Google Toolbar can affect the user agent.

Peter, have you ever played around with the checkuser interface? It's not very exciting, but it'll tell you everything you need to know about it.

[Peter Damian]

It sounds like you've about got it covered, honestly.

You might want to add that CheckUser produces many false positives (when a dynamic IP happens to get assigned to another customer of your same ISP, or when a public wi-fi node is used by different Wikipedians). And (in WP's defense), the CheckUser also produces "user agent info" that can help to very clearly confirm that the same computer hardware is being used by multiple accounts.

Thanks ! I've also mentioned that the user agent info (as far as I know) is a javascript add-on that is easily disabled. Anyone know about this?

I also need to add that dynamic IPs can sometimes be disabled using 'range blocks', but that this means thousands or tens of thousands of other users are also prevented from using Wikipedia effectively.

I believe there is a Firefox add-on called user agent switcher. I haven't tested whether it can fool checkuser, but I will do that sometime. Also, I think the Google Toolbar can affect the user agent.

Peter, have you ever played around with the checkuser interface? It's not very exciting, but it'll tell you everything you need to know about it.

Yes please. See email address above.

[Vigilant]

I'm working on a document that is a detailed and point by point comment on WMUK's submission to the charity commission, July and September 2011. Note this is not public yet, as 'dogbiscuit' got access to a copy privately via FOI. The document (which I strongly believe was written by our friend 'Fae') contains many misleading or downright inaccurate claims.

Section 13.3.8 of the submission says ""There is also “CheckUser” software that enables a small number of selected and vetted volunteers to establish, in many cases, whether two editors are from the same ISP, and often where that ISP is located. This information is mostly used to detect blocked editors who try to return under a different account name. "

My experience of checkuser is that it is almost completely ineffective as a control over determined, intelligent users, and that evaders are usually caught out by stupidity or carelessness, rather than by the software itself. Examples are the easily availability of dynamic IPs (such as my own service provider, who kindly change my IP daily), the availability of 'hot spots' (public wifi networks), internet cafes, use of proxies.

Any other ideas to contribute to this section? I would be particularly interested in narratives or stories from experienced evaders.

As always, my email is edward at logicmuseum.com.

There are many, many devices that allow for easy IP switching. Linux based routers, tethered smart phones, 3G to wifi local hotspots. There are many classes of device that allow you to change your IP immediately. If you combine these and either use different browsers or use a plugin that allows for browser string spoofing, there is literally no way for the checkuser tools to find you.

[Peter Damian]

There are many, many devices that allow for easy IP switching. Linux based routers, tethered smart phones, 3G to wifi local hotspots. There are many classes of device that allow you to change your IP immediately. If you combine these and either use different browsers or use a plugin that allows for browser string spoofing, there is literally no way for the checkuser tools to find you.

If I may quote you almost verbatim on that? It has a nice authentic ring to it (tho' I have no idea what it means).

[Kelly Martin]

The way British ISPs operate makes it difficult to geolocate users within Great Britain. This is partially because many ISPs service the entire country and so their IP pools may be allocated to locations anywhere in the entire country (and even in some cases outside the country). There are also "British" ISPs whose principal Internet point of presence is outside the UK and quite a few Brits who avail themselves of German, French, and Italian ISPs, all for various reasons. Also, UK hotspots provided by someone like, e.g., Starbucks, may end up appearing to be in the United States. It's well-known that all AOL users, including AOL UK users, will appear to be in Herndon, Virginia. So while IP information will sometimes be able to tell you where someone is, it's also the case that sometimes it will not even be able to tell you what continent they're on. And figuring out which often requires advanced knowledge of how the Internet works, something that very few checkusers have.

Checkuser can and will catch naive attempts to conceal identity. It catches most such attempts only because most people who try to do this are ignorant or stupid. Against those who know how to use proxy services, cache spoofing, and browser ID spoofing, the checkuser tool is virtually useless. Fortunately, there are fairly few people in this latter category.

Years ago, I caught one such person, who was running a large sockfarm to push a particular political point of view. He used a large network of proxies located literally all over the world, but mostly in Eastern Europe and Asia. I only caught him because he made mistakes; if he had been more careful at ensuring that sock A only used IP B (and so forth) I would never have caught him.

[Vigilant]

There are many, many devices that allow for easy IP switching. Linux based routers, tethered smart phones, 3G to wifi local hotspots. There are many classes of device that allow you to change your IP immediately. If you combine these and either use different browsers or use a plugin that allows for browser string spoofing, there is literally no way for the checkuser tools to find you.

If I may quote you almost verbatim on that? It has a nice authentic ring to it (tho' I have no idea what it means).

Feel free.

To expound:
* There are many classes of device where you can force a change of your IP. Anywhere a device acquires an IP address through DHCP (typically wirelessly). A wifi hotspot at Starbucks that sees your computer come into range will assign your computer a local IP address and wikipedia will see that particular Starbucks IP address (or one of their IP addresses) as the originator. Cross the street to another Starbucks and wikipedia will see a different IP.

* With 3G/4G (cellphone carrier) <--> PC (USB/Ethernet/Wifi) the situation gets better/worse. If you're using a 3G to Wifi hotspot (http://gizmodo.com/5256825/verizon-mifi-2200-3g-portable-wi+fi-hotspot-review (first hit on google)), then every time you power cycle the 3G router, you are given a new IP address.

* If you are tethering a smart phone, then power cycling will give you a new IP address.

* Agent spoofing is trivial. Firefox has plugins, there are dozens of ways to do this.
https://www.google.com/search?q=user+agent+spoofing

* To avoid exposing yourself if you're running sockpuppets, use a VM (VirtualBox, VMWare). You can install dozens of virtual machines, each running a differnet OS/Browser combination. Make a single account per VM and check the remember me button on wikipedia.

In summation, checkuser is feeble and the people who use it and expect results are even worse. They only catch the most lazy and incompetent sockpuppeteers. Or those who don't give a shit.

[Peter Damian]

There are many, many devices that allow for easy IP switching. Linux based routers, tethered smart phones, 3G to wifi local hotspots. There are many classes of device that allow you to change your IP immediately. If you combine these and either use different browsers or use a plugin that allows for browser string spoofing, there is literally no way for the checkuser tools to find you.

If I may quote you almost verbatim on that? It has a nice authentic ring to it (tho' I have no idea what it means).

Feel free.

To expound:
* There are many classes of device where you can force a change of your IP. Anywhere a device acquires an IP address through DHCP (typically wirelessly). A wifi hotspot at Starbucks that sees your computer come into range will assign your computer a local IP address and wikipedia will see that particular Starbucks IP address (or one of their IP addresses) as the originator. Cross the street to another Starbucks and wikipedia will see a different IP.

* With 3G/4G (cellphone carrier) <--> PC (USB/Ethernet/Wifi) the situation gets better/worse. If you're using a 3G to Wifi hotspot (http://gizmodo.com/5256825/verizon-mifi-2200-3g-portable-wi+fi-hotspot-review (first hit on google)), then every time you power cycle the 3G router, you are given a new IP address.

* If you are tethering a smart phone, then power cycling will give you a new IP address.

* Agent spoofing is trivial. Firefox has plugins, there are dozens of ways to do this.
https://www.google.com/search?q=user+agent+spoofing

* To avoid exposing yourself if you're running sockpuppets, use a VM (VirtualBox, VMWare). You can install dozens of virtual machines, each running a differnet OS/Browser combination. Make a single account per VM and check the remember me button on wikipedia.

In summation, checkuser is feeble and the people who use it and expect results are even worse. They only catch the most lazy and incompetent sockpuppeteers. Or those who don't give a shit.

Thanks. There are actually two bits of information for UKCC here. One is that it is easy to evade controls. Two is that there are real people out there, actively doing it.

[Vigilant]

There are many, many devices that allow for easy IP switching. Linux based routers, tethered smart phones, 3G to wifi local hotspots. There are many classes of device that allow you to change your IP immediately. If you combine these and either use different browsers or use a plugin that allows for browser string spoofing, there is literally no way for the checkuser tools to find you.

If I may quote you almost verbatim on that? It has a nice authentic ring to it (tho' I have no idea what it means).

Feel free.

To expound:
* There are many classes of device where you can force a change of your IP. Anywhere a device acquires an IP address through DHCP (typically wirelessly). A wifi hotspot at Starbucks that sees your computer come into range will assign your computer a local IP address and wikipedia will see that particular Starbucks IP address (or one of their IP addresses) as the originator. Cross the street to another Starbucks and wikipedia will see a different IP.

* With 3G/4G (cellphone carrier) <--> PC (USB/Ethernet/Wifi) the situation gets better/worse. If you're using a 3G to Wifi hotspot (http://gizmodo.com/5256825/verizon-mifi-2200-3g-portable-wi+fi-hotspot-review (first hit on google)), then every time you power cycle the 3G router, you are given a new IP address.

* If you are tethering a smart phone, then power cycling will give you a new IP address.

* Agent spoofing is trivial. Firefox has plugins, there are dozens of ways to do this.
https://www.google.com/search?q=user+agent+spoofing

* To avoid exposing yourself if you're running sockpuppets, use a VM (VirtualBox, VMWare). You can install dozens of virtual machines, each running a differnet OS/Browser combination. Make a single account per VM and check the remember me button on wikipedia.

In summation, checkuser is feeble and the people who use it and expect results are even worse. They only catch the most lazy and incompetent sockpuppeteers. Or those who don't give a shit.

Thanks. There are actually two bits of information for UKCC here. One is that it is easy to evade controls. Two is that there are real people out there, actively doing it.

I hope you're referring to Kelly's catch because I don't do this with wikipedia. I don't care to participate in the approved manner. I'm a mere sniper on the sidelines.

Another topic you could explore is the ease with which wikipedia could be corrupted.

[Peter Damian]

I hope you're referring to Kelly's catch because I don't do this with wikipedia. I don't care to participate in the approved manner. I'm a mere sniper on the sidelines.

Another topic you could explore is the ease with which wikipedia could be corrupted.

Of course (IMG:smilys0b23ax56/default/smile.gif)

This post has been edited by Peter Damian:

[dogbiscuit]

Don't get too excited about this. The CC will not be interested in the effectiveness of controls - that is not really their (political) problem, it is sufficient that they have enquired of them and been told that they are adequate - they have covered themselves. There would be a presumption that if they were deemed to be inadequate for the purpose then the controlling bodies will fix them over time. I very much doubt that CC would be interested in proof that a minority of malicious individuals could circumvent the controls.

So I don't think this is anything but a minor supporting argument. The real issues are about the public harm of wilfully inaccurate information (thinks, we have something where Wikipedia has taken a position on Scientology haven't we? Is it neutral or has it established an anti-Scientology position?).

Another issue was animal welfare where SlimVirgin sought to create a bias in a wide range of farming articles to show that animal farming was cruel - including deliberate blurring of the lines between factory farming and other practices to allow normal farming practices to be treated as inappropriate. I just looked and sure enough the Factory farming article is tagged. A good example of a battleground article, not tainted with sexual arguments, but potentially quite damaging as it is not a neutral overview of a controversial subject. For example, it associates BSE with factory farming, whereas it was poor feeding practice, not specifically factory farming. Quite importantly, and deliberately, misleading, scaremongering (not that I approve of factory farming). This was also an example of Verifiability not Truth as SlimVirgin used summary BBC News articles against things like the Government Inquiry which specifically concluded Factory Farming was not a factor - this was deemed to be a primary source, so could be excluded, even though it was clearly a very high quality source indeed. (Still grumpy about this after 4 years!!!).

[Peter Damian]

Don't get too excited about this. The CC will not be interested in the effectiveness of controls - that is not really their (political) problem, it is sufficient that they have enquired of them and been told that they are adequate - they have covered themselves. There would be a presumption that if they were deemed to be inadequate for the purpose then the controlling bodies will fix them over time. I very much doubt that CC would be interested in proof that a minority of malicious individuals could circumvent the controls.

So I don't think this is anything but a minor supporting argument. The real issues are about the public harm of wilfully inaccurate information (thinks, we have something where Wikipedia has taken a position on Scientology haven't we? Is it neutral or has it established an anti-Scientology position?).

Another issue was animal welfare where SlimVirgin sought to create a bias in a wide range of farming articles to show that animal farming was cruel - including deliberate blurring of the lines between factory farming and other practices to allow normal farming practices to be treated as inappropriate. I just looked and sure enough the Factory farming article is tagged. A good example of a battleground article, not tainted with sexual arguments, but potentially quite damaging as it is not a neutral overview of a controversial subject. For example, it associates BSE with factory farming, whereas it was poor feeding practice, not specifically factory farming. Quite importantly, and deliberately, misleading, scaremongering (not that I approve of factory farming). This was also an example of Verifiability not Truth as SlimVirgin used summary BBC News articles against things like the Government Inquiry which specifically concluded Factory Farming was not a factor - this was deemed to be a primary source, so could be excluded, even though it was clearly a very high quality source indeed. (Still grumpy about this after 4 years!!!).

Oh well. I am merely playing a small part, a cog in the machine. If I can show that they misled the UKCC in the application, that is one small step.

However, I have covered many of the things you mention above, such as the overall bias, the ineffectiveness of their controls in correcting bias, etc. The document plus appendices is now 12 pages. The checkuser part is one small paragraph.

You say "it is sufficient that they have enquired of them and been told that they are adequate - they have covered themselves. " A good bureaucrat proceeds on the principle of utmost good faith. They can't check everything, indeed they can rarely check anything, and place the utmost reliance on the good faith and honesty of declarations.

Also, it is difficult to question judgments they have made on the basis of available evidence. If, by contrast, it can be shown that the available evidence was flawed, they (the bureaucrats) have a nice get out of jail card.

Let's see.

This post has been edited by Peter Damian:

[Kelly Martin]

Indeed, I would argue that checkuser is actually overused and misused more often than not. In fact, its main use (other than to identify and interdict serial vandals, a purpose that really cannot be argued as anything other than legitimate) is to identify and punish those who attempt to game its internal political system. This is of no concern to the UKCC; the UKCC is not particularly interested in, nor charged with resolving, internal political disputes within the charities it regulates. Only when such disputes are so endemically severe that they threaten the ability of the charity to effectively self-regulate does the UKCC have an interest.

[gomi]

There have been many, many discussions here on WR about checkuser over the years. Here are a few of them:

How effective is checkuser?
CheckUser Safety Tips, Part XIV
Checkuser data retention
Checkuser statistics
Privacy violations by a Checkuser in the block log, a permanent record
Checkuser abuse

[Peter Damian]

This is of no concern to the UKCC;

Yes it is. Section 13.3.8 of the WMUK submission claimed it was an effective control, replying to concerns from UKCC about 'scope for abuse'. Therefore it is a concern for the UKCC. Obviously they couldn't care less about what it actually is. Trust me.

[Vigilant]

This is of no concern to the UKCC;

Yes it is. Section 13.3.8 of the WMUK submission claimed it was an effective control, replying to concerns from UKCC about 'scope for abuse'. Therefore it is a concern for the UKCC. Obviously they couldn't care less about what it actually is. Trust me.

It would be trivial to outline a scenario that would allow for rampant abuse (of whatever flavor) on wikipedia.
It would also be trivial to show that there exist safeguards that would completely prevent the abuse that are not being used by wikipedia.

It's very clear that they like things the way they are even when vastly better alternatives exist.

[melloden]

It sounds like you've about got it covered, honestly.

You might want to add that CheckUser produces many false positives (when a dynamic IP happens to get assigned to another customer of your same ISP, or when a public wi-fi node is used by different Wikipedians). And (in WP's defense), the CheckUser also produces "user agent info" that can help to very clearly confirm that the same computer hardware is being used by multiple accounts.

Thanks ! I've also mentioned that the user agent info (as far as I know) is a javascript add-on that is easily disabled. Anyone know about this?

I also need to add that dynamic IPs can sometimes be disabled using 'range blocks', but that this means thousands or tens of thousands of other users are also prevented from using Wikipedia effectively.

I believe there is a Firefox add-on called user agent switcher. I haven't tested whether it can fool checkuser, but I will do that sometime. Also, I think the Google Toolbar can affect the user agent.

Peter, have you ever played around with the checkuser interface? It's not very exciting, but it'll tell you everything you need to know about it.

Yes please. See email address above.

Yes please what?

[EricBarbour]

Don't forget the time Arbcom yanked away David Gerard's checkuser/oversight powers.
The original discussion on the Arbcom noticeboard was deleted and oversighted, because
Gerard claimed it was "potentially libelous", and managed to talk one of his buddies into
making it disappear.

Which resulted in this even-longer argument. Complete with Mike Godwin bitching certain people out.

David demanded a full retraction and apology, or oversight, and he demanded it in a hurry because Cade Metz was sniffing around. Arbcom doesn't do hurry under the best of circumstances, and here there were significant disagreements about whether or not a retraction was even deserved, much less how to word it. So the comments were oversighted instead. Thatcher 20:55, 2 December 2009 (UTC)

Gerard and Aussie political blogger Andrew Landeryou had apparently hated each other for years.
But the "fun" was triggered by this.

WR thread. Note that virtually all the Wikipedia traces of this situation have been oversighted by now.
Gerard, like Jayjg and Durova before, was quite happy to abuse checkuser.

If you ever need a good example of Wikipedia being used to defame, try Andrew Landeryou (T-H-L-K-D).
Looking for evidence of David Gerard socking? Try the history of that article.

Stupidity and incompetence, that's what Arbcom is all about. And checkuser is just completely useless.

[SB_Johnny]

Indeed, I would argue that checkuser is actually overused and misused more often than not. In fact, its main use (other than to identify and interdict serial vandals, a purpose that really cannot be argued as anything other than legitimate) is to identify and punish those who attempt to game its internal political system. This is of no concern to the UKCC; the UKCC is not particularly interested in, nor charged with resolving, internal political disputes within the charities it regulates. Only when such disputes are so endemically severe that they threaten the ability of the charity to effectively self-regulate does the UKCC have an interest.

Yup. I was a CU on 3 projects (a bit after Kelly's time), and this is right on the money, more or less. Aside from the WP CUs (who use it politically), most of the "other project" CUs are just trying to be helpful and chase down the grawpy types. Poet-horde-dude being the obvious exception, of course.

[Fusion]

It sounds like you've about got it covered, honestly.

You might want to add that CheckUser produces many false positives (when a dynamic IP happens to get assigned to another customer of your same ISP, or when a public wi-fi node is used by different Wikipedians). And (in WP's defense), the CheckUser also produces "user agent info" that can help to very clearly confirm that the same computer hardware is being used by multiple accounts.

And Checkusers may claim a match when the IPs are not identical but merely close. User agents are not extremely useful. They are identical on my office and home PC when both are using Chrome though not other browsers.

Also, I think the Google Toolbar can affect the user agent.

Yes all toolbars affect the useragent. Even bigger differences are caused byvarying between IE, Firefox and Chrome on the same machine, and probably other browsers too.

[SB_Johnny]

And Checkusers may claim a match when the IPs are not identical but merely close. User agents are not extremely useful. They are identical on my office and home PC when both are using Chrome though not other browsers.

The checkuser extension to the software is publicly explained, so there's really no need to make bad guesses and look like a fool. Just saying.

[Vigilant]

And Checkusers may claim a match when the IPs are not identical but merely close. User agents are not extremely useful. They are identical on my office and home PC when both are using Chrome though not other browsers.

The checkuser extension to the software is publicly explained, so there's really no need to make bad guesses and look like a fool. Just saying.

That being said, I'd guess that the biggest impediment to effective user ID is a lack of understanding about how TCP/IP and related protocol stacks actually work.

[lilburne]

This is of no concern to the UKCC;

Yes it is. Section 13.3.8 of the WMUK submission claimed it was an effective control, replying to concerns from UKCC about 'scope for abuse'. Therefore it is a concern for the UKCC. Obviously they couldn't care less about what it actually is. Trust me.

In what context were the CC using the term "abuse"?

[No one of consequence]

Checkuser can and will catch naive attempts to conceal identity. It catches most such attempts only because most people who try to do this are ignorant or stupid. Against those who know how to use proxy services, cache spoofing, and browser ID spoofing, the checkuser tool is virtually useless. Fortunately, there are fairly few people in this latter category.

+1

[No one of consequence]

Aside from the WP CUs (who use it politically), most of the "other project" CUs are just trying to be helpful and chase down the grawpy types. Poet-horde-dude being the obvious exception, of course.

For what it's worth, when I was active, I only found 2 (or maybe three) cases of WP checkusers using it "politically" and I came down pretty hard on both of them. One is no longer a CU, and I don't care enough any more to check the other one. (This was one of the things I was specifically concerned about when I wrote the essay that led to the audit committee. Of course, after two years, I expect the audit committee, if it even still exists, is as bogged down and useless as the rest of the bureaucracy.)

[Kelly Martin]

I think the main point to take away from this thread, apropos Peter's original question, is that checkuser is not really a tool that is all that useful in ensuring the quality of Wikipedia's articles. Its main purpose is in the interdiction of low-level vandalism. Given this, I think it's interesting that the WMUK cited it as an important part of the tools used to ensure the quality of articles.

The only way that checkuser can be used in defense of biographies of living people is, perhaps, as an investigatory tool toward the goal of identifying the real-life identity of editors for the purpose of identifying editors with conflicts of interest. But it is my understanding that such use is generally prohibited by policy, so WMUK's assertion that it can be, and is, used for that purpose is also interesting.

[TungstenCarbide]

Aside from the WP CUs (who use it politically), most of the "other project" CUs are just trying to be helpful and chase down the grawpy types. Poet-horde-dude being the obvious exception, of course.

For what it's worth, when I was active, I only found 2 (or maybe three) cases of WP checkusers using it "politically" and I came down pretty hard on both of them. One is no longer a CU, and I don't care enough any more to check the other one. (This was one of the things I was specifically concerned about when I wrote the essay that led to the audit committee. Of course, after two years, I expect the audit committee, if it even still exists, is as bogged down and useless as the rest of the bureaucracy.)

Does checkuser compare password hashes? (i'm assuming it does)

Here are the current checkusers; http://en.wikipedia.org/wiki/Special:ListUsers/checkuser

Jclemens and Versageek don't have a creation date for their account in this listing. wonder what's wrong with the database.

Most checkusers don't create content, they just engage in mmorpg.

For what it's worth, when I was active, I only found 2 (or maybe three) cases of WP checkusers using it "politically" and I came down pretty hard on both of them.

When checkuser is run on an established editor, that editor should get a banner, like the yellow talk page message. That would eliminate spurious uses, since the checkuser knows they'd have to answer for themselves.



This post has been edited by TungstenCarbide:

[Kelly Martin]

Does checkuser compare password hashes? (i'm assuming it does)

No, that requires database access.

Jclemens and Versageek don't have a creation date for their account in this listing. wonder what's wrong with the database.

That means their accounts were created before the modification that added creation date data to user records. Sometime in late 2004, if I recall correctly, although some accounts created after that date also lack creation dates, for reasons that I'm not clear about. In some cases, the creation date shown is actually the time of the account's first edit, not the time the account was actually created.

[EricBarbour]

Jclemens and Versageek don't have a creation date for their account in this listing. wonder what's wrong with the database.

That means their accounts were created before the modification that added creation date data to user records. Sometime in late 2004, if I recall correctly, although some accounts created after that date also lack creation dates, for reasons that I'm not clear about.

That is correct. All of the Wikimedia projects have errors and omissions in the admin databases,
some of them big enough to drive a truck through.

Last night I discovered that Pathoschild, that pimply little "man", has been an admin on English Wiktionary
since 2005, but isn't listed anywhere as such. They have two lists of admins, and he's not on either one.
What does he do on Wiktionary? Nothing. He claimed he needed admin power to run his "proxy blocking
project", whatever that is.

[TungstenCarbide]

Does checkuser compare password hashes? (i'm assuming it does)

No, that requires database access.

I've enjoyed probing cu's capability on occasion. In several cases the only 'technical' similarity between the accounts was the password, everything else was different - computer, browser, isp or tor, location ... but the checkuser report matched the accounts with a 'likely, based on technical evidence'. I'm starting to suspect they lied. The accounts were obviously the same user, based on behavior, I made sure it was obvious.

Interestingly, the list of my "suspected" sockpuppets is more accurate than the list of "confirmed" sockpuppets, with one error vs. two.

This post has been edited by TungstenCarbide:

[TheKartingWikipedian]

Does checkuser compare password hashes? (i'm assuming it does)

No, that requires database access.

I've enjoyed probing cu's capability on occasion. In several cases the only 'technical' similarity between the accounts was the password, everything else was different - computer, browser, isp or tor, location ... but the checkuser report matched the accounts with a 'likely, based on technical evidence'. I'm starting to suspect they lied. The accounts were obviously the same user, based on behavior, I made sure it was obvious.

Interestingly, the list of my "suspected" sockpuppets is more accurate than the list of "confirmed" sockpuppets, with one error vs. two.

Yes, interesting. I always considered that if they got down to checking passwords all my 20 or so active socks would be immediately linked and confirmed. So it requires database access - well haven't they, or someone they know, got that?

The fact is, passwords are considered sacrosanct by just about everyone, so if they start using them to determine socks - evne if they don't see the actual password - they will be plumbing new depths of depravity.

[TungstenCarbide]

The fact is, passwords are considered sacrosanct by just about everyone, so if they start using them to determine socks - evne if they don't see the actual password - they will be plumbing new depths of depravity.

meh, checkuser is already serving up your personal identifying information to some idiot. Declaring password checks off limits for some moral/privacy reason is disingenuous - Is it just for technical reasons that cu doesn't use the main database? Passwords are probably stored as hashes and cu could just show a 'match' or 'no match'.

Does cu analyze walk-throughs from the logs? That might be kinda interesting.

This post has been edited by TungstenCarbide:

[Kelly Martin]

Yes, interesting. I always considered that if they got down to checking passwords all my 20 or so active socks would be immediately linked and confirmed. So it requires database access - well haven't they, or someone they know, got that?

Not with the current version of Mediawiki. Password hashes are salted (and have been for quite some time), so the same password will have many possible different hashes because of the differing salts used.

[TungstenCarbide]

Interestingly, the list of my "suspected" sockpuppets is more accurate than the list of "confirmed" sockpuppets, with one error vs. two.

Considering that most of my accounts have "TungstenCarbide" in the name, and that I generally take no measures to mask my identity from cu (unless probing cu's capabilities), it's surprising the number of mistakes made. Wikipedia's sockpuppet identification machinery isn't very good. False positives probably drive away a lot of new editors who feel like they've been slapped in the face.

[Fusion]

And Checkusers may claim a match when the IPs are not identical but merely close. User agents are not extremely useful. They are identical on my office and home PC when both are using Chrome though not other browsers.

The checkuser extension to the software is publicly explained, so there's really no need to make bad guesses and look like a fool. Just saying.

Possibly there is some misunderstanding here. I have said that my English is still a little imperfect so maybe I say what I do not mean sometimes. What I meant was:

* A Checkuser (i.e. a person) runs a Checkuser (a Wiki function).
* He finds two users, one with IP say 73.167.89.245, the other 73.167.90.43 - close but not identical.
* Nevertheless he says, "Aha, a match!"
* Yet if these people are on stable IPs this does not prove a match; on the contrary it disproves it.
* If they are on dynamic IPs it may indicate a match but is far from conclusive.

Or were you querying my statement about user agents? Does Checkuser (Wiki function) show anything different from this site? Because with that site it is a fact that the strings are the same with Chrome.

I've enjoyed probing cu's capability on occasion. In several cases the only 'technical' similarity between the accounts was the password, everything else was different - computer, browser, isp or tor, location ... but the checkuser report matched the accounts with a 'likely, based on technical evidence'. I'm starting to suspect they lied. The accounts were obviously the same user, based on behavior, I made sure it was obvious.

So maybe "technical evidence" doesn't necessarily mean IP match? Maybe it can mean "shares a POV I don't like"?

[TungstenCarbide]

Yes, interesting. I always considered that if they got down to checking passwords all my 20 or so active socks would be immediately linked and confirmed. So it requires database access - well haven't they, or someone they know, got that?

Not with the current version of Mediawiki. Password hashes are salted (and have been for quite some time), so the same password will have many possible different hashes because of the differing salts used.

so what's this (I'm not a programmer);
http://svn.wikimedia.org/viewvc/mediawiki/...3&pathrev=39334

[Kelly Martin]

so what's this (I'm not a programmer);
http://svn.wikimedia.org/viewvc/mediawiki/...3&pathrev=39334

Tracks use of the email user and email temporary password functions.

[SB_Johnny]

And Checkusers may claim a match when the IPs are not identical but merely close. User agents are not extremely useful. They are identical on my office and home PC when both are using Chrome though not other browsers.

The checkuser extension to the software is publicly explained, so there's really no need to make bad guesses and look like a fool. Just saying.

Possibly there is some misunderstanding here. I have said that my English is still a little imperfect so maybe I say what I do not mean sometimes. What I meant was:

* A Checkuser (i.e. a person) runs a Checkuser (a Wiki function).
* He finds two users, one with IP say 73.167.89.245, the other 73.167.90.43 - close but not identical.
* Nevertheless he says, "Aha, a match!"
* Yet if these people are on stable IPs this does not prove a match; on the contrary it disproves it.
* If they are on dynamic IPs it may indicate a match but is far from conclusive.

Or were you querying my statement about user agents? Does Checkuser (Wiki function) show anything different from this site? Because with that site it is a fact that the strings are the same with Chrome.

In plain English: CU shows you the IP, the browser, and the operating system of the computer used to make a particular edit. It also shows the xff if xff is involved. That's all.

Reasonably intelligent CUs wouldn't see a match in the /16 range as proof of anything, without very strong "behavioral" evidence to back it up (and even then, they would probably look into whether the range is dynamic, whether there are clearly unrelated edits coming from the range, etc.).

I've enjoyed probing cu's capability on occasion. In several cases the only 'technical' similarity between the accounts was the password, everything else was different - computer, browser, isp or tor, location ... but the checkuser report matched the accounts with a 'likely, based on technical evidence'. I'm starting to suspect they lied. The accounts were obviously the same user, based on behavior, I made sure it was obvious.

So maybe "technical evidence" doesn't necessarily mean IP match? Maybe it can mean "shares a POV I don't like"?

I suppose that's possible on WP (since their CUs are appointed by the notoriously political ARBCOM, IOW Jimmy's favorite ass-kissers), but on the other projects they're elected according to how much they can be trusted. Sounds good and works fairly well, but again there's the Poetguy thing which shows a major weakness there.