The common thread among most stories like this is the spoof-ability of phone numbers. Telecom companies must make changes to prevent this kind of spoofing. Honestly, I think if telecom companies could be sued for damages caused by this kind of thing (not to mention spam) then I think the problem would get solved very quickly. The only reason it hasn't been solved yet is most of the cost and pain is borne by others.
>Telecom companies must make changes to prevent this kind of spoofing.
Traditional phone companies absolutely should do a better job vs spoofing (and I believe there is supposed to be at least some progress there via STIR/SHAKEN in the US at least), but I'm a lot more inclined to blame services and particularly armed response services that still treat them as secure in a way they have long long LOOONNNGGG since proven they aren't. Telephone numbers simply were never ever a particularly secure thing, predate the entire net let alone widespread use of cryptographic protocols, and retrofitting real security onto that legacy has proven non-trivial. They shouldn't be blindly depended on for something like SWAT deployment. Security services live in a world where they can be lied to and they act like it in other circumstances. They're the ones sanctioned by the state to responsibly employ lethal force, and have been given ludicrous amounts of outright military grade gear. They should be investing in tools and techniques to evaluate reports and gather intel on site before "storming the house". Even basic old humint like "asking the neighbors if they heard any shots" seems to have been tossed aside. Like take this very reported case:
>The caller told the dispatcher he had killed his girlfriend. He had barricaded himself inside his home in a quiet, affluent neighborhood on the eastern edge of Palo Alto.
OK, so maybe there is a criminal there, but by his own (suspicious) words nobody is in any immediate danger. The supposed body he's killed isn't going anywhere. Surround the place from a distance, sure, and if someone does start shooting from the house obviously that's clear enough. But if the police have the place covered and nothing happens, maybe ask some neighbors. Send in a drone or two. Get on the line with a judge for a quick order to use IR or terahertz imaging or whatever and see if that reveals anything. Get a megaphone and ask everyone to "come out with their hands up" even! If the police though just go and storm the place though they could well cause the very situation they seek to avoid, what if someone is fast asleep and hears a break in and opens fire to defend themselves? Hardly an impossible thing particularly in America. It's happened.
Everyone in tech knows all about blindly trusting user input. Yes absolutely it'd be good to deal with trivial spoofing but that alone isn't going to mean there can't be malicious input. Or even non-"malicious" per se, there are people out there on bad trips or with untreated disorders who might report fake stuff fully believing it. The human mind is an imperfect thing. Stopping spoofing also won't stop someone from making a real call from a real phone that they've stolen or hacked into some business network and used their VoIP, calls from the victim's number could just as easily be calls from "a neighbor who heard shooting and saw flashes through the window" or "concerned passerby". E911 is supposed to have a variety of standards for including location information and in principle that should cut back on this as well, if someone claims to be in a house and the location doesn't show they're at the house that should be a red flag. But that still leaves holes due to legacy and risk aversion from bad incentives. At the end of the day, I think any service for the general public needs to be careful about considering their inputs. Ask for money upfront for that pizza for the first order. Trust but verify and all that.
Edit: One useful thing the government could perhaps provide here would be something along the lines of a national "known harassed number(s) registry", where someone could report getting this kind of thing at their local police station in person, show proof of identity, and ask for their number to be flagged for a year along with a code word. Any future 911 calls could automatically be flagged in turn, the operator could ask for the code word, or at least let responders know that there was a history of spoofing and everyone should be extra careful.
> They should be investing in tools and techniques to evaluate reports and gather intel on site before "storming the house". Even basic old humint like "asking the neighbors if they heard any shots" seems to have been tossed aside.
Yeah, I've suggested this very thing myself on several occasions, but basically people who are against engaging in self-defense and prefer to use police officers as their own personal security are dead set against any kind of reform on this point. You're really not going to get any kind of reform on this point until it's more than just little people who are being inconvenienced by this. Basically unless and until SWAT shoots someone "who matters" it won't change... because some people are REAL sure they need a militarized police force who can kick in your door at any time on the word of an anonymous jackass on the other end of an unsecured line.
> but by his own (suspicious) words nobody is in any immediate danger.
I'd agree, were it not for my knee-jerk tendency to argue the contrary - the girlfriend may in fact not be dead, but only in shock. Also how do you know there isn't anyone in the house?
But probably those would be outlier situations, and the steps you suggest would be better than storming in.
You can always imagine situations in which any approach would be preferable to another, which is why they're terrible for determining the correct way to act.
What is more important is how society will act with said regulations/decisions, and then you'll have no choice but accept that the best way forward is the one that's hardest to abuse.
The aggressive approach is extremely easy to abuse and there are currently no dangers associated to the abuser, which is why SWATing is on the rise.
Lots of companies are comfortable programming a single caller ID for many phone lines in a call center. It's a legitimate business need. Trouble is the caller-ID is not validated for each and every call. If the target phone could contact the claimed originator, and silently ask "did you sent/initiate this message/call <token> <target number>" then phones (subject to preferences) could /dev/null incoming and not at all interrupt the owner. While SMS could be the protocol for that, they are not free for everyone, and landline users can't participate with today's handsets. The other problem is the world's hundreds of call center technologies would need to be upgraded - circling back to money. Each time the FTC brings this up the telecos say they agree it is important yet do nothing. Google and Apple could lead the charge with that silent use of SMS (subject to handset preferences). They could take it out of the hands of the telecos, and make them play catch up.
It’s really not. SWATting has nothing to do with spoofing numbers. You can call from google voice or skype and the cops will take it just as seriously.
I grabbed a short 2-letter Twitter handle within a few months after they launched. A few years ago I had someone used SIM hijacking to steal access to my phone number. This failed to get access to my Twitter account because I never set up a recovery phone number, however he got access to my Facebook and a few other accounts. I got T-Mobile to fix the SIM swap, but after 3 nights of harassment I just changed my handle. I didn't want to give in but the handle wasn't worth the trouble. On the plus side since Twitter doesn't allow handles that short anymore, once I changed my handle the hijacker's attempts were foiled.
Did you not read the article? The one where peoples family members are getting harassed and someone died of a heart attack? That is a lot to put other people through out of "principle"
Darknet diaries has done a few recent episodes on this topic. Episode 106 is about account handles told from the perspective of the victims, and it is quite sobering. Episode 112 is long interview with an individual who had hacked handles, and it has a look into sim-swapping and some of the tactics around that. Highly recommend ep112.
We should probably fix SIM swapping / jacking for a lot of reasons but can we also maybe up the seriousness of the legal frameworks at play? It’s almost unconscionable that a Bay Area police department has no real idea / interest in understanding that you’re being SWATed. It’s definitely beyond crazy that the only way this guy got 5 years was because of further crimes committed while on bail. The criminals think the laws are lax _even in the midst of being prosecuted under them_
In 2016 someone figured out how to successfully repeatedly reset the password without my knowledge (via support maybe?). But since my e-mail was not compromised they didn't manage to change the password (or I was quick enough to set it again before they executed some second step of their scheme). I upgraded the security measures to 2FA and some insanely long password and it ceased.
Since November 2020 I am subjected to a brute-force attack - someone is trying to log in and I am getting an email notification about it each time. In the beginning it was once every five (!) minutes, later every 15 minutes. It went like this for over a year, now it seems to be throttled with emails arriving once every few days.
I am suprised that for such a long time Instagram didn't implement anything to counter such activities.
"Eberle left work and drove to the Palo Alto police station, where he explained the situation. But there wasn't much the police could do about it."
This is, IMHO, the key part. Mr Eberle found himself in a situation that would result in criminal charges for the "attackers" if they could be found, but the police simply gives up.
I remember getting a demand I surrender my HoTMaiL address to somebody in a very threatening email to my address way back in 1998. It was kind of surreal back then as the internet was still fresh. Nowadays the closest I've gotten to this is the people who keep using my Gmail address as their own email address. I find this behavior rather bizarre and don't know what it achieves.
> Nowadays the closest I've gotten to this is the people who keep using my Gmail address as their own email address. I find this behavior rather bizarre and don't know what it achieves.
I have this problem also! I thought it was rare. In my case I think the person is very bad with computers and doesn't know what their email address is. I've gotten emails from their bank, cell phone, and even online dating. I tried mailing them a letter once to tell them they are making a mistake but nothing changed.
I had some person's client email me regularly for years, which I ignored.
One day I decided to take action and sent a expletive filled email to them telling them that I was not the person they thought I was and to stop emailing me.
They then sent me an email telling me I was fired.
It's not a super-common lastname, but there are probably several hundred people with it in the US.
I get all sorts of email for people whose address is some variant of it, like <firstname.lastname>@gmail.com. I've gotten plane tickets, paypal payments, cancer diagnoses, Bar Mitzvah and Wedding invitations, college transcripts, all sorts of personal information.
In many cases, I don't think it's the fault of the person with the email; I think they give their email as "firstname.lastname@gmail.com" and some clerk just uses "lastname@gmail.com"
A misdirected email is usually easy to handle. I have no problem responding to people telling them that they hit the wrong mailbox. The real problem is people using your email to register with services that provide no viable way for you to completely deregister from them.
Someone registered their brand new truck to my email address. I started getting a ton of automated email regarding the truck. The manufacturer didn't offer any options whatsoever to disentangle myself from that account. I even filled their support form and asked them to phone call the owner and sort it out. The only thing that did work was installing their app and honking the (parked) car horn from the other side of the world. A couple of days later, the account was magically deactivated and spam stopped.
My Gmail is firstname.lastname@gmail and I get mail to that account that’s not for me. Must be the other party has a middle initial they are leaving out.
I would be careful with the "." in your username as someone else with `firstnamelastname@gmail.com` would likely get your email. I get the emails that are my ID with the "." in between.
Surely some of those are legitimate mistakes, but also I think things like the cancer diagnosis are probably designed to get you to respond. This proves that there's a human to spam/phish at that address. I've also gotten "we're here at the airport, are you coming to pick us up?"
I’ve gotten invitations for a GP system, among countless signups for games as well as an account approval for a car. I’ve gotten a hold of one person who was ordering curtains with my email address, they were nice, I got hold of another person who was repairing their phone and they got angry. It’s really quite annoying, and half of the services aren’t even confirming the address, they just put whatever you fill in on the account and start sending ‘informational’ spam.
I have the same problem. Mostly for an old MobileMe/iCloud alias, but also for an entire domain that I own. Someone keeps signing up for Instagram accounts in another language.
My every day email is my name@myname.com, and I’ve had to purchase several typo domains and alias them.
usually it is someone who has their email john.r.smith or similar and forgets they need the r
There are other stories of people forgetting which company it was with (gmail vs yahoo) and even of google accidentally giving out emails with a period and then silently removing periods.
The Gmail domain will deliver email to an email address regardless of periods in the username. My email address is first name period middle initial period last name. I can a period between any letter, all letters or none and I can still receive it.
Likewise I have no fewer than three people trying to use a gmail address I've had since 2003 as their own. It's extremely frustrating - one even sent me $45,000 in a mistaken paypal transfer and then when I reversed the charges I was hit with an overdraft since I had made a Paypal purchase (which would ordinarily come from my direct bank funds) not knowing the money had been sent to me in error.
It shouldn't be this easy to use someone else's email address.
I have an old 7 letter gmail address, not an English word even but it must mean something in India and someone must have used it because for years I got eye-opening stuff, full color scans of national IDs, job applications, business proposals, invoices etc. At first I tried to send messages back explaining but in the end I just had to block it all, didn't have the time.
>It shouldn't be this easy to use someone else's email address.
This though, seems hard. I don't think this is a "security" thing per se (though I dearly wish there was a modernized "email" system built with modern crypto from the ground up). But for any sort of communications at all it seems like there is an inherent tension between how low friction one wants for the world to communicate vs protection. Like, there is nothing stopping anyone from doing a pure whitelist system for email right now. I even do in fact do that for a few accounts like specific ones for client contacts, only active client addresses will be accepted everything else is blackholed. Those obviously receive zero spam or misuse of any kind [0]. But obviously the tradeoff for that is no new potential clients could ever "cold call" it either. One could imagine technical solutions like "only accept stranger email from accounts with a signed ID" or "vouched for by known address" (ie, WoT) or "only address with a signed time token >N from providers X, Y or Z", or some kind of challenge/response, but all would have privacy tradeoffs, complexity, and still wouldn't inherently do anything about honest mistakes.
We could have more powerful options for this, but it'd still involve subjective tradeoffs between how open to new communications one wants to be vs cutting down on noise. No one right answer there.
----
0: Forged from fields are of course possible but in practice someone would at the least have to know which handful of the total planetary email addresses were whitelisted, never mind flags that show up in the headers from that
When using Gmail to compose an email, sending to another gmail user, it shows me their profile icon. This has stopped me from sending to the wrong firstname.lastname@gmail.com variant several times. I don’t know if other providers do this but it’s something.
> Nowadays the closest I've gotten to this is the people who keep using my Gmail address as their own email address. I find this behavior rather bizarre and don't know what it achieves.
I have a very common english <firstname><lastname>@outlook.com address. My inbox is always full of bank statements, invoices, and all sorts of business correspondence and bills from all over the world.
Same here. You could guess my GMail e-mail from my HN login :-)
Looks like it is popular among some ethnic groups.
I get applications for waitress for Black Lion Pub in the middle of the England, tons of registrations to any and each popular service which doesn't require e-mail validation, receipts from all around the world for online purchases (from dresses to drugs to surgical treatment of cats and dogs). I don't mention registrations in several recruitment agencies for low-wage workers ("I" was offered positions of forklift operator, gas station worker, etc).
There was whole year+, when PA of some real estate agency in Florida used this e-mail to book airline tickets and hotels for her boss. It was at least a trip each week, all around Florida and neighboring states. I've wrote to hotels, I've wrote to public e-mail of this agency - to no success. I've cancelled these bookings - they were re-booked, sometimes for much higher price. One time Ive canceled non-refundable booking for hotel 6 times in a row. It was re-booked each time, nothing changed! In the end I've filtered out all messages addressed to this person (name was always the same, it is what allowed me to figure out firm & person). After year or year and the half it stopped.
I have a similar gmail address as a successful VC. As a result of this coincidence, I get unsolicited pitches for startups regularly. My anecdotal evidence suggests that 100% of unsolicited startup pitches are dumpster fires of cash. YMMV
Hotmail: It was really easy to "hack" hotmail during that time. I created mine in 1999 and lost in early 2000. By summer 2000, I happen to talk to a friend of a friend who works at Hotmail. I got him to reset and give me a new Password that worked. I still have my hotmail account and is used to the times when you need a Microsoft Account.
Gmail: A lot of people seem to think email, then "Gmail". I get emails of at-least 4 (or is it 5) people who have used some variation and also exact ID of my Gmail account (created when it came out in beta). I get details of their Credit Card, Bank, Phone, and what not. I just ignore/delete them but someone with time and fun/bad intention can do some serious harm. I have tried sending emails, contacting them few times but to no good result. One got angry that I have access to "his email". From the mail history, I feel really sorry for them. They are definitely not well-off and I feel I should protect this part of their digital identity. :-)
I also have <mylastname>@gmail.com because I got my account before April 1st, 2004 (the public release date).
My name is also uncommon but it's very English, so I get weird email from England, Scotland, Ireland, Canada, South Africa, Australia, and New Zealand—anywhere there was an Anglo diaspora. I've given up trying to do anything about it, and it really isn't a problem because the volume is very low.
I have tried sending emails, contacting them few times but to no good result.
As someone who's had this same Gmail address for 18 years, I'm here to tell you it is absolutely a pointless waste of your time and almost never results in the sender changing their address book, workflow, or typing skills.
1. They have used "." in between the usernames which I have full access to.
2. They gave that as their email (Gmail) ID when the banks, ISPs, asked and the institutes never validated it. To the other Brajeshwars, they are like "Oh! Email/Gmail, then it must be brajeshwar@gmail.com." But then I end up getting their emails.
I have a domain I've used pretty much just for email for the past 25 years. The domain is similar in a kinda h4cker l33tsp34k way to the name of a SaaS that started up about 8 years ago and offers a free trial. Now I get multiple emails a day due to people being clever and using their made up name @ my domain for their test accounts.
It was hard to filter it at first since people kept exploring areas of the trial that generated novel message templates and the messages seemed to come from an endless supply of unique hosts.
At one point I contacted the SaaS company about it but they told me there was "nothing they could do" even when I promised I was the only user at that domain and I had no intent to sign up to their service with it.
I used to just log into their trial and delete the account, but while trying to automate this I figured out a better way to do my filters so the emails don't really bug me anymore (except in the cases when someone picks an alias I already have in use).
Yep, I get the same. My Gmail is a simple first initial + surname, and I've received payslips, job offers and, most entertainingly, invitations to speak at a neurosurgery conference in Brazil.
I was the target of an online harassment campaign, and very soon afterwards I got a bunch of emails confirming registration on a whole range of forums I had never heard of. Seemed like people were using my email address for forum spam. I’ve been trying to migrate to a new email address ever since, not sure what else to do about it.
This seems like such needless hassle and pain for everyone involved. If these companies just adopted a username system like most video games, where the user gets to pick any name they want and some arbitrary numbers get tacked on to the end, then this situation would be totally solved.
The problem is that these usernames are used to represent companies. They say "Follow us on social media: @Swann" but "Follow us on social media: Swann#58139" would be much harder for customers and potential customers to remember, and could lead to fat-fingered phishing and other issues.
You can always treat verified corporations and celebrities differently to the general population... Heck, they already do so it wouldn't be a big change.
Or even easier: make them into a paid product, potentially even a small subscription. now you can milk people that want them
Wow. I have a 6 letter Instagram account handle that actually matches a popular (Western) name and initial out there. So far I get about one fairly polite request per month via DM to sell my handle to them, which I always decline, but lately I am seeing a rise in the number of 'password reset' emails I am getting from Instagram. It's gone from about one per week to sometimes 2 or 3 per day.
That fact, plus the stories in this article is making think of really closing off my social media visibility a lot more than it currently is.
Similar boat here - 3 character handle (my initials), and a constant flood of password resets. I used to get a lot of offers to purchase, the highest being $20k, but those seem to have stopped lately.
I am in the same situation. Sometimes I wonder if I should have responded to a bit higher offer sent by someone who possibly was a super wealthy Saudi kid (I am talking racing-lambos-in-the-desert-rich kind).
I can't imagine these people are that untraceable. If they are dumb enough to reach out to the victims, finding them should be doable with a bit of luck.
I think one of the issues is spoofing numbers is still not prevented by the miserable US telecoms. That allows these people to spoof calls and swat the target, worst case.
The article mentions Instagram DMs. I don’t think those could be spoofed. Law enforcement would have to care and Instagram would need to get a subpoena, but they should be able to provide a lot of info on the account that sent the message (geoip, behavior, etc).
I think not many PDs would invest resources trying to avoid some private person’s username from being stolen. I’d be upset if it happened to me but I doubt anyone else would care.
I think the harassment would be what gets investigated. Especially including swatting.
It seems like once law enforcement engaged it was quick since they arrested 3 days after someone died from a swat. But getting law enforcement to be interested is the problem.
You’re kidding right? I can’t call the cops from my phone and say I’m XYZ and have killed my girlfriend and am going to kill more people. Literally TFA
“ The police quickly traced the 415 number and determined that it belonged to Chris Eberle, a midlevel
Netflix
executive. When calls to the number went unanswered, the police descended in force. ”
I’m not kidding. You’re putting way too much faith in the article, most swatting calls are not spoofed.
> I can’t call the cops from my phone and say I’m XYZ and have killed my girlfriend and am going to kill more people
You totally can. You think the cops won’t show up with force if they get a call from a voip number or prepaid sim? They will.
I’d argue that spoofing the victims number is in fact more likely to result in an unsuccessful swat, as the cops might end up calling you back and reaching the target.
Fuck, kids have been swatting each other using TTS relays since at least the early 2000s.
They are traceable, but generally nobody bothers to actually trace them. On top of that, most of the people who would be charged with the task to do this are somewhat out of touch with how the (digital) world works.
I'm curious to see how laws and law enforcement around the world actually perceive this, especially considering the very different ways in which things like order bombing or swatting exist/don't exist in various countries.
It's only a very small part of this but I have to wonder why "cash on delivery" is a thing.
As far as I'm aware that's very usual in my country. We have no shortage of delivery services but they all need to be paid up front with a credit card.
It's like the US food industry has made itself a willing part of the harassment industry. The only reason I can think of for them to really want to offer this service is as a tax dodge.
I'm sure that there's no end of alternative ways that the inventive scumbag can think of to annoy people but that one at least is not open to them here.
You don't see the utility or freedom of a way to spend money that that governments and corporations can't track and store indefintely? Look no further than the current abortion issue here. The government knows everyone who got an abortion in the past and paid by a credit card. Not by cash though.
there is a huge portion of the country that doesnt use cards
they are callee the unbanked. They are poor.
its part of the ideals of this country that everyone deserves equal opportunity of transacting with a businesa.
Its part of our freedom of association.
EU elite love their restrictions. They say EU elites love democracy or something, but after watching top bureucrats try to hold UK hostage over brexit, im not that convinced.
We make them earn it. Here's a typical email I send in response to such requests:
"We do sometimes recycle usernames when they're well and truly dormant, i.e. no logins for many years. But we only do this for established community members.
What I usually tell people in situations like this is to create a new account and build up a track record of being a good community contributor, and that if they do that, they're welcome to email again in the future and ask us to recycle the old username for them. We can always rename your account at that point."
If someone is already a good community contributor and has already built up such a track record, we're more likely to give them what they want. But only if the username they're asking for has shown no sign of life for many years.
-----
Edit: the above comment generated quite a few emails, which has forced me to think about what makes me uncomfortable about this. Here it is:
Obvious/hot usernames don't really fit the intended spirit of this site, which is (intellectual) curiosity: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor.... That spirit is more likely to come up with a new, creative username than to seek the one that's better for branding or vanity.
Branding is about being obvious and repeating things. That's out of sync with the spirit of this site. Similarly, vanity—though perfectly human and something we all have—is not particularly sympatico with curiosity. Put those together and you get the worst of both: "personal branding", which is particularly boring and uncurious.
Curious conversation is about some $thing that is interesting. It is not about $me, and when $thing is merely a means to $me (or $my-startup or $buy-what-im-selling), that's lame. You can usually feel it and smell it in the content, too, because the content wasn't produced out of interest or for its own sake.
Optimizing HN for curiosity (see link above) is a constant fight against the forces of promotion, which forever seek to pull people's attention away from things that are actually interesting and glue it instead to ulterior matters like marketing and messaging and sales. I'm not saying those things are bad in any absolute sense, but they're bad relative to the mandate of this site.
So this whole thing of "can I please have me this generic / obvious / presumably-high-status username that hasn't posted anything since 2008" makes me feel like someone doesn't really get what HN is for, and I get queasy.
I'm not sure we've hit such a case yet, but we'd probably do the standard thing when we decommission accounts, which is to reassign the existing posts to a random username.
I wonder how many of the fake orders could have been cancelled by the restaurants themselves if they had tried to verify the phone number of the new customer (new phone number and/or address). Maybe an SMS for verification (fails in case of SIM-swapping) or pre-payment in case of a new customer. Assuming that there are viable methods for pre-payments.
I think if they choose to avoid any kind of verification of contact information they don't have good reason to complain in cases like this.
Easy solution: Assign all accounts a unique and randomly generated ID, and allow everyone to then use the handle they want. If someone wants to write a @handle in a post or a comment, a list shall appear, asking them to choose the account they wish to link to. IDs shall be public, and the list shall present itself as something like "@Max 36hf28bcd ; @Max 9jv1tcsh ; @Max b63avg960"
Discord does this. You can choose whatever name you want. Then your name has ‘#’ and 4 random numbers appended to it, like ‘Foo##5142’. The # and numbers are greyed out and mostly hidden so when you see peoples ids, unless your explicitly looking for it your brain only pays attention to the name part. IMO it works really well
I had discriminator #9999 of a common last name and received death threats (for over a year) and support ticket impersonation "hey I lost access to my account", random friend adds and DMs trying to phish, constantly being sent tokenstealer malware.
This ended in the funniest way possible: being banned for using third party client Ripcord (presumably, no other offenses, happened shortly after trying it out).
My prediction for a system similar to the one parent suggests is that people will continually keep creating accounts until they get something like "Max a0a0a0a" or "Max 000000e" or something by chance, and then that becomes """valuable""" and the same thing happens.
It turns out that cryptographic gobblediguuk is difficult for humans to understand. Even if your conscious mind knows it's a meaningless jumble of characters, your visual processing system evolved over millenia and honed with decades of schooling to read text fast is automatically failing to parse it in your visual field. So your users will self-train to ignore them.
A solution is to display the random nonsense as a unique image. More pleasant to look at, much easier to discern differences. There exist competing standards and services to generating images from random numbers, because it turns out the most universal way of doing this is abstract colorful shapes, which fall into that uncanny valley of approximating but not quite successfully imitating abstract art; And most people seem to think that's ugly.
Maybe that dall-e thing could generate good images to represent hashes? What does it output if one inputs nonsense?
1. System assigns each user a random visually unique (no lookalikes) ID, and assigns a visually unique colorblind-friendly abstract image generated from user's ID (like you say) as default avatar.
2. User is free to change avatar and username, except there must be no visually similar avatar-username combinations across userbase. The restriction is enforced any time the user changes avatar or username.
3. System ID is shown to screen readers in place of avatar.
4. Whenever user interacts with another, if they have not communicated before, profile image or system ID is made more prominent for validation.
Discord does this and it's really annoying. Especially if your usual handle is actually sufficiently unique that you've never had a name collision on any site, ever. It's almost as annoying as trying to remember anyone's ICQ number.
"Easy" solution: all account names must be at least ten characters long, single dictionary words and common first names are illegal. Make everyone spend some time picking a Good Handle.
As long as you can login using your email address you don’t need to remember it. Never mind that I don’t even know the number on my account nor the password, that’s what password managers are for.
Basically Discord then? You have a human-readable handle that is not guaranteed to be unique, and disambiguated by the last 4 digits (?) of your actual UID (which is a number)?
That isn't a solution, because people who want to have a memorable/unique username are not interested in sharing it with others, and they will move to a platform where they don't have to. Probably part of Twitter's appeal early on was the ability to get there early and grab up an account like @cookies or @milk.
I guess we as a society have to decide if we want a market on usernames. I don't think we need it. And if the majority of users agree and switch to a platform that doesn't value usernames, then the few people trying to monopolize usernames (like the people who swarmed to twitter to grab handles) will be left on a barren platform.
This article brushes over it, but the underground economy of account selling and promotions is quite expansive, and inherently involves Meta's own platform, Meta should get getting into the brokering business of these, be the escrow, be the reseller.
There are people that professionally grow accounts, while the regular users do the same for a little dopamine kick with little efficacy and the most 'heretical' thing they'll do is buy disengaged followers. But it has much greater efficacy to just get an already professionally grown account and rebrand it based on the audience that found the account. I've made a lot from rebranding accounts for marketing strategies. I've lost a bit trying to buy from unscrupulous sellers. Apparently we violated the Terms of Service, oh no.
Meta could definitely support this behavior and amplify it. They need to re-educate consumers about not coveting followers, but just the content. Currently, people think how you got followers is important. But its not.
If I read correctly it was part of a plea deal. Prosecution probably thought they couldn't secure a conviction unless they copped to a lesser sentence, so they bullshit them into taking it.
That said... I wonder if the deceased's estate has filed a civil suit against this jerk? Would serve him right to lose everything he's got.
I'm usually the one who gets his username due to a long-ish and odd name for the Internet (but common in India). For Instagram, I ignored it long enough, and don't have the username. Later, I signed up with my family name (a 5-character word), which also happens to be the name of a small town in India. I get regular bombardment of attempts to get to my account. Of course, it will have to be someone from my State, as the name have its meaning and importance just for the people of the state.
My accounts are not the most important. However, I'm now beginning to accept that anything can be hacked, locked, and the day I have no access to a particular account, I should be able to walked out and not care (wherever possible and makes sense). I have also begun to offload accounts/IDs to a common family entity that can be run by "trustees" instead of being a personal one.
So in a sort of "phone can be rendered useless if stolen" kind of a way, why can't IG (etc) lock an account (perhaps with a message on the page of the username, based on an irreversible flag on a user account?) that says something like "this account cannot be transferred" with a help link that explains the account will be killed if the email address changes (perhaps without submitting a passport or something to prove it's changing for the same person). Would we then be at a point where this kind of swatting is pointless? Even if you got the name via harassment the system would kill it?
I've though about this for about 15 seconds, but you get my point.
I have someone that wants to buy my Twitter and Insta handle, person already 'hijacked' my domain (dad paid for it, passed away, and payment failed and lost it). Obviously, never going to sell those handles
I have my first name (a very common Asian name) as username in Yahoo, GitHub & few other places. I have received hundreds of password reset request on average every week. I was given a special contact request by instagram & github to reset my password if that ever arose. My password recovery is "semi lockdown" mode - someone can initiate it, but I won't be bugged everytime. That was very kind of the tech support to find this alternative solution.
I think a lot more important part of the problem is getting SWATted and potentially killed by the police. For which they will also receive minimal to no punishment, so no change in future behavior either.
It wasn’t spoofing per se that caused the word “deadly” appear in this article’s title.
> Swatters place hoax calls to local police departments, provoking heavily armed SWAT teams to storm the homes of their victims. Haters have swatted online influencers, streamers on
Twitch
, and prominent figures in the tech industry, including Facebook executives and the head of Instagram, Adam Mosseri. In 2017, the police in Wichita, Kansas, fatally shot a man after they were summoned by a swatting attack over an online match of "Call of Duty."
Ok... this is terrible journalism. They're failing to correctly and accurately identify the parties in play. These aren't "haters", they're unhinged individuals or it's organized crime.
Or haters, or jealous folks, or <name your negative phrase>. You should look up some stories of famous women on Twitch or Youtube. I think it's definitely fair to say that "I hate you because you wont respond to me" or "I wanted to see the swat team burst in on someone when they are streaming" counts as a hater, among other things.
You're reducing it to "The only possible reason someone would do this is because they are mentally ill ('unhinged') or they want money" Which is only a subset of the motivations. Especially in the context of this paragraph which is talking about ALL swatting, not just getting peoples user names.
I guess you could argue that the only reason that people troll is because they are "unhinged" but that is a bit too hand wavy for my tastes.
My point is the label hater is a generic term that is frequently used to dismiss valid points and criticisms of others. It has such a low bar that a distaste or a popular dislike winds up having a large group of people being labeled as a "hater".
It's imprecise, it's from the subject's point of view (which makes it a poor statement to make from the journalist's pov), and it potentially leads the readers to make ill-informed opinions about the wrong people.
I think what worries people is the low effort it required. This guy was unlikely to strap a bomb to himself or hijack a plane, but he could do considerable damage from behind a computer. The asymmetry of personal sacrifice and external harm is such that fewer extremists are deterred from participating. The solution is to remove the asymmetry. In most cases, the police could solve this by simply slowing down and thinking for two seconds before shooting someone.
This is definitely a problem of social media IMHO. When you can be @ginger@some.domain by just finding a Fediverse server where nobody's decided to be @ginger yet, or getting someone in your circles with the resources to stand up a server, there's a lot less competition than when there can only be one @ginger on all of Instagram across the entire world.
Someone could still decide that being @ginger@prestigious.domain is Worth Something and start harassing you for having it but it's a lot less likely.
This accomplishing precisely nothing except moving the problem to another layer.
> A man who enlisted his cousin to break into a Cedar Rapids man’s home and order him at gunpoint to transfer an Internet domain was sentenced today to 14 years in federal prison.
It greatly expands the space. If you’re content being @ginger@some.domain then you’re fine. If you insist on being @ginger@ginger.com then it’s still a limited resource to be fought over. But you might also be happy with @ginger@ginger.party and find that to be available, thanks to the expansion in TLDs.
You're missing the point that you might want @me:yourname.domain, but someone has already registered the domain. Real names aren't unique either. This is why domains frequently change hands for a lot of money.
I agree that this is terrible and that it is the responsibility of the companies to protect their customers, but theft happens with anything that's valuable. Domain names, email addresses, cars, etc. These can be "decentralized" but it doesn't mean that people wont try to figure out your password or find your keys so that they can steal them.
Social media is optional. You don't have to use it. I don't.
But not letting other people send messages over the internet through platforms created for the purpose because you don't like it is a special level of heavy-handed dictating.
Smoking is optional. Guns are optional. Nukes are optional. Still needs to be regulated. How long before society accepts that damage is being caused by mobile phones and social media?
I really enjoy cases of swatting because it's a Confused Deputy problem but with actual confused deputies!
Police organizations are usually pretty primitively organized. They don't have the concept of studying a common body of work or anything. So they suck at what they do and they don't get better at it.
Police departments are essentially unaccountable to the proletariat. None of this will change unless and until the bourgeoisie are the ones getting shot because an anonymous jackass placed a phone call to conduct his own personal Milgram experiment.
