Disallow impersonation or certify authenticity of posters

[schveiguy]

Recently, an individual posted a few messages pretending to be both famous people, and people who regularly post on the forums (including myself). The famous people, I don't think there's much we can do about it. But it shouldn't really be easy to anonymously post with the name of someone else who is a known poster on the forums. Given that there's not really any other obvious identifying information (other than a gravatar if you have set one), it really looks like that original person has posted.

We may come across people with the same name, and I would handle that by not allowing posting without establishing an actual account/password.

Those of us who do have accounts should be able to "reserve" our names to prevent them from being impersonated.

Of course, you can't prevent newsgroup postings anonymously, but most trolls aren't willing to put in that effort.

[CyberShadow]

Not sure how feasible this would be to implement, considering...

• People can post via email or NNTP. Some people use email/NNTP and the forum web interface interchangeably.
• Requiring people to sign up for an account would create a barrier for new users.
• Currently, there are no password recovery options because accounts don't have much intrinsic value, so that would need to be fixed first before additional meaning is given to forum accounts.
• It is trivial to circumvent "reserved" names by using slightly modified names (e.g. Vladimir Pantaleev), substituting look-alike characters from other alphabets (e.g. a vs. а), insert zero-width whitespace or Unicode combining character, etc.

One idea I had was to implement GPG signing and verification of messages. In the web UI, it could be done either by letting the user specify their own key which is kept strictly client-side (with the signing done in JS), or by letting the server have its own secret keypair. Then, posts by verified users could have a green checkmark by their name or something like that, similar to GitHub commits. Still, that only helps with some of the above points, and wouldn't stop someone from creating a keypair tied to a similarly-looking name.

[schveiguy]

People can post via email or NNTP. Some people use email/NNTP and the forum web interface interchangeably.

This would only affect the forums. Not much we can do about mailing lists or NTTP, but my guess is that trolls normally will not use those interfaces.

Requiring people to sign up for an account would create a barrier for new users.

You wouldn't be required, but don't get a name reservation unless you do.

t is trivial to circumvent "reserved" names by using slightly modified names

Yes, I know. But this is still a distinction that isn't otherwise present when you copy the name exactly.

substituting look-alike characters from other alphabets

That's more difficult to prevent. I suppose one could build a list of such characters and "normalize" the names before checking. But it's really not something I think is all too common on our little corner of the Internet. Maybe it's too much to try and prevent such things.

insert zero-width whitespace or Unicode combining character, etc.

Just remove all whitespace/capitalization when doing the comparison.

One idea I had was to implement GPG signing

Would that be usable via the NNTP or mailing list interface?

[CyberShadow]

Would that be usable via the NNTP or mailing list interface?

Yes, if interoperability wasn't a concern, there would be much simpler ways.

In any case, it would still take a bit of work.