Eliminate "Validate Email Address" Requirement


Advanced search

Message boards : Problems and Help : Eliminate "Validate Email Address" Requirement

Author Message
Profile Team SETI.USA
Send message
Joined: 13 Aug 10
Posts: 4
Credit: 0
RAC: 0
Message 13565 - Posted: 12 Feb 2015, 1:04:33 UTC

Would it be possible to eliminate the "validate email address" requirement to post on the message boards? I (and I suspect many others) have a defunct email address that I use as my BOINC ID. So while I'm actively crunching, I can't receive email at this address. Changing the email address will consequently split my CPID and cause a lot of problems on stats sites.

FYI, to ask this question, I had to login using our team's Admin account, which has an active Gmail address, allowing me to verify that one.

Note: I am Maxwell [MM]

Profile noderaser
Project donor
Avatar
Send message
Joined: 28 Mar 06
Posts: 512
Credit: 1,553,018
RAC: 79
Message 13566 - Posted: 12 Feb 2015, 3:29:12 UTC

I'm pretty sure that's an anti-spam feature... Silly question, why not change your account info at the other projects to use an active address? I'm on my third email address for BOINC, no lost projects or credit for any active projects.
____________

Profile Team SETI.USA
Send message
Joined: 13 Aug 10
Posts: 4
Credit: 0
RAC: 0
Message 13572 - Posted: 13 Feb 2015, 17:38:15 UTC - in response to Message 13566.

I'm pretty sure that's an anti-spam feature... Silly question, why not change your account info at the other projects to use an active address? I'm on my third email address for BOINC, no lost projects or credit for any active projects.

The simple answer to that is "inactive projects."

If I were able to access the websites of all projects I crunch, I'd change the email address no problem. But I have crunched several dozen projects that are inactive/completed, and the websites are taken down. Changing the email address on some would cause a headache with the stats sites.

Profile noderaser
Project donor
Avatar
Send message
Joined: 28 Mar 06
Posts: 512
Credit: 1,553,018
RAC: 79
Message 13573 - Posted: 14 Feb 2015, 3:36:55 UTC - in response to Message 13572.

If I were able to access the websites of all projects I crunch, I'd change the email address no problem. But I have crunched several dozen projects that are inactive/completed, and the websites are taken down. Changing the email address on some would cause a headache with the stats sites.

Ah, I've been a long time user of BAM, so that's taken care of for me... Bummer, maybe they'll come up with a way to fix that in the future.

So, I guess that precludes you from joining any new projects also?
____________

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4487
Credit: 2,094,806
RAC: 0
Message 13575 - Posted: 14 Feb 2015, 12:24:52 UTC
Last modified: 14 Feb 2015, 12:45:15 UTC

As a little curious side note here: You are barking up exactly the right tree about this issue.

The cross project identification system was designed to help stats sites identify which projects a particular user was actively partaking in with a somewhat high degree of confidence. The design goals were that:


  • Active projects should fairly quickly reach agreement of cpid, even when adding new ones to the mix
  • No server-to-server communication needed to happen between projects
  • No other information should be leaked through the identifier
  • False positive clashes should be uncommon
  • Even if not all hosts are connected to all projects it should still work
  • It should be somewhat difficult for ordinary people to hijack a specific identifier


This is why the private crossproject identifier starts out as a completely random number, which spreads through the client settings of the hosts connected to your account on a project and then from there to other projects that the same hosts participate in. This particular identifier usually doesn't change and is kinda your "secret" - or well, nothing more secret than it is written in plain text in client_state.xml under .
If someone were to impersonate you on a new project we had to have a way to make it hard for them to do so. That's why the exported cpid (the one that stats-sites have access too) is actually a hash of the private cpid and your email. This forces an adversary to either come up with a new private cpid for himself that when hashed with his email gives your exported cpid (which is/was cryptographically hard) OR an adversary would have to steal your private cpid and set up a new account with your email address... which kinda defeats the purpose of impersonation since you can then simply take it over.

So, long story short: The CPID system is working exactly as intended. There is a reason why the exported CPID changes when your email changes even if your private CPID does not.
That is also why it was never designed to be stable over decades - especially not in the presence of inactive projects. This is where the stats-sites come into the picture: It is completely up to them to keep track of the historical CPIDs in the export data from active and inactive projects and selectively match them against each other while taking the timestamps into account. It is not enough to simply store all the different exported CPIDs for your account in one big pile because that opens up the possibility of false positives over time, but even that simple method is a good start.

I realize that the system has become a victim of its own success - it works so well that people have started using the CPID as the sole identifier for the accounts (like people using links to stats sites using their exported CPID on their website/signatures or even entire stats sites without any form of user account structure where they are simply using the CPIDs directly instead). This was not the intention - and the problem will only get worse over time. The fix, however, lies firmly with the stats sites. In the future this is how you will be able to tell really good stats sites from the other ones: They will have the ability to properly and automatically manage and match your historical CPIDs for all projects to link with old and abandoned projects.

ps. I'm fairly certain that Maxwell [MM] validated his email a looong time ago ;)

Profile Maxwell [MM]
Send message
Joined: 10 Aug 09
Posts: 10
Credit: 1,075,680
RAC: 0
Message 13576 - Posted: 14 Feb 2015, 16:28:56 UTC - in response to Message 13575.

ps. I'm fairly certain that Maxwell [MM] validated his email a looong time ago ;)

Hah! Thank you for reminding me of that "fact"... ;)

@noderaser: I can actually join new projects. New projects don't require a valid email address; they just use it as an identifier.

Anyway, back to the original point of the thread: there are other spam-reduction techniques other sites are using (e.g., RAC > 50). I know I have other teammates in the same boat as I was.


Post to thread

Message boards : Problems and Help : Eliminate "Validate Email Address" Requirement