Diary of a sock hunter.
How NEM tried to find and eliminate unrightfully claimed stakes.
Preface
We’d like to preface this document by saying we didn’t make the decision to do more sock auditing easily. It was a very, very long-winded discussion. On the one hand people felt like we had already wasted enough time with ensuring a proper distribution. On the other hand distribution is very important for non-inflationary coins so all the effort will hopefully pay off eventually.
We’d like to emphasize that we did not choose this way of redemption just because we wanted to weed out socks. It was the easiest way to handle redemption for thousands of people, from a logistics perspective.
We’d also like to highlight the fact that we did not store any personally identifiable information during redemption. Every single bit of data we collected was anonymized and it was not a lot of data to begin with (as you’ll see later).
Each locked account was locked manually and decisions were made on a case-by-case basis. We felt that a script might make mistakes and we didn’t want to risk that.
Technicalities
By now you are probably wondering how we identified socks. We used browser fingerprinting as implemented here: https://github.com/Valve/fingerprintjs and hashed IPs. That’s it. Cookies were used strictly to handle sessions and avoid spam. We did not use evercookie or similar technology.
What fingerprintjs does, is it uses certain browser characteristics (plug-ins, installed fonts, OS, canvas, etc.) to create a unique hash for each browser. It is said to have about 80% accuracy in identification. Given that we’re dealing with only approximately 1500 people here, it is reasonable to assume that the accuracy would be a lot higher since the more people are involved, the more likely it is that multiple people will have the exact same setup.
Fingerprints from TOR-Browserbundle will not be counted as sockpuppets. We don’t want to invade anyone’s privacy, which is why we also didn’t restrict access via TOR in the first place.
Lastly we also looked at timeframes. How long between registrations, how often was a fingerprint used within a given amount of time, - stuff like that.
Findings: case-by-case decisions
We outline here the decision-making process. We believe this will clearly show that there is solid evidence why some of these accounts are locked and that we didn’t lock these accounts for no good reason.
Let’s start with the scammers…
During the redemption process, several BTT accounts were reported stolen, probably due to the recent phishing attacks.
Interestingly, some of those accounts were already claiming their stakes, and even more interestingly, all of the claimed stakes that belonged to stolen accounts were only claimed by 2 different fingerprints. What a coincidence!
We decided to lock all stakes claimed with those fingerprints since they gave us strong reason to believe that all of them were stolen.
On to the sockpuppets…
We wanted to try to enforce the 2 stakes per person rule as much as possible but we felt it was even more important not to lock out legit people that just happened to have the same fingerprint.
The following is a breakdown of how the decisions came about:
Example 1 - Clear as day… 
As can be seen, both fingerprint and IP are exactly the same for all claimed stakes. Further they were claimed on the same day most of them within an hour. The odds of them not being the very same person for all stakes is 0. This is a clear case of someone that tried to claim more stakes than he or she was entitled to.
Example 2 - less clear but still pretty obvious…
This is pretty much the same case as the previous one but the time span for claim was more spread out. Let’s think about this. Maybe that is the IP of a VPN service and a very common browser setup. How likely is it that a very common browser setup only appears on 5 days that are relatively close to each other and never again for the rest of the month? Not very likely, we should say. And how likely is it that all users of that VPN service that are NEM stakeholders used the very same browser setup? Also not very likely. We are not even starting to talk about TOR because if that’s a TOR-exit then the chances are next to 0.
Example 2 is not as conclusive as Example 1, but the likelihood and probability is much too high that someone tried to game the system here.
Example 3 - hmmmm…
This is an interesting case. We have the same fingerprint but not a single IP was used twice. Let’s think about how easy it is to change IPs. There are dozens of plugins for all browsers that switch between proxies at the click of a button and most VPN providers offer quite a few servers all of which you can circle through as much as you want. However that’s not enough to just lock someone out. Let’s look at the timeframe. All of the stakes were claimed within 2 days and we can clearly see that many of them were claimed “in a row”. So how likely is it that a common browser setup is used on only 2 days out of a month and on both of those in relatively narrow timeframes. I’d say it’s a very, very slim chance. So again we have caught a sock-master.
Example 4 - close calls…
This is a tricky one. Almost all have different IPs and the timeframe isn’t nearly as narrow as with the last three cases. However, two IPs were used twice which is the first indicator. We can also see that the same fingerprint was used within only 30 minutes on some days. This may not be conclusive enough to lock the stakes. However, for 19 of them to have the exact same fingerprint it would require all of them to have the exact same set up. If it would have indeed been a common setup this should have occurred more often. In order to be more conclusive, we decided to investigate the BTT accounts further, so that we could form better conclusions. Most of these accounts were new accounts created at around the same time when NEM launched the project. Most of them were actually created within a period of 2 days. These findings can only lead us to believe that it cannot be a coincidence that these users registered themselves at the same time. On that basis, we shall disqualify only the stakes claimed by accounts that were newbies/brand new and created on the same days specifically for NEM.
We believe we have been fair in our decisions and that we always had very solid proof.
With this last surprise exercise we believe we have weeded out most of the socks and therefore we have optimized our distribution to the best of our ability, given the current constraints that we are working on.
We only have this to say to those who have been denied of their stakes:
You will note that we DID NOT TAKE all your stakes away. We want to be fair and we expect the community to be truthful and honest so that we can have a good start. You know you are guilty and we have the proof and means to identify you. Further, we have not entirely taken all your stakes but only those additional sockpuppet stakes that we believe you are not rightly entitled to.
Let us move on from here and look forward to a good start when we launch.
We hope that even those who lost their stakes can put aside their personal interests and work together with everyone to create a new economy that is based on the principles of financial freedom, decentralization, and equality of opportunity. Together we can create a better world that is truly a utopian future.
(edited: restored the post)
