this post was submitted on 20 Jun 2023
222 points (100.0% liked)

Technology

37708 readers
347 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
 

Look, we can debate the proper and private way to do Captchas all day, but if we remove the existing implementation we will be plunged into a world of hurt.

I run tucson.social - a tiny instance with barely any users and I find myself really ticked off at other Admin's abdication of duty when it comes to engaging with the developers.

For all the Fediverse discussion on this, where are the github issue comments? Where is our attempt to convince the devs in this.

No, seriously WHERE ARE THEY?

Oh, you think that just because an "Issue" exists to bring back Captchas is the best you can do?

NO it is not the best we can do, we need to be applying some pressure to the developers here and that requires EVERYONE to do their part.

The Devs can't make Lemmy an awesome place for us if us admins refuse to meaningfully engage with the project and provide feedback on crucial things like this.

So are you an admin? If so, we need more comments here: https://github.com/LemmyNet/lemmy/issues/3200

We need to make it VERY clear that Captcha is required before v0.18's release. Not after when we'll all be scrambling...

EDIT: To be clear I'm talking to all instance admins, not just Beehaw's.

UPDATE: Our voices were heard! https://github.com/LemmyNet/lemmy/issues/3200#issuecomment-1600505757

The important part was that this was a decision to re-implement the old (if imperfect) solution in time for the upcoming release. mCaptcha and better techs are indeed the better solution, but at least we won't make ourselves more vulnerable at this critical juncture.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 34 points 1 year ago* (last edited 1 year ago) (14 children)

There are other options.

I'm just a hobbyist, but I have built a couple websites with a few hundred users.

A stupidly simple and effective option I've been using for several years now, is adding a dummy field to the application form. If you add an address field, and hide it with CSS, users won't see it and leave it blank. Bots on the other hand will see it and fill it in, because they always fill in everything. So any application that has an address can be automatically dropped. Or at least set aside for manual review.

I don't know how long such a simple trick will work on larger sites. But other options are possible.

[–] [email protected] 8 points 1 year ago (9 children)

Couldn't the bots just be programmed to not fill out that field? Or not fill out any field flagged as hidden?

[–] [email protected] 11 points 1 year ago (7 children)

You'd think so.

But it's not flagged as hidden. Instead you use CSS to set display as none. So the bot needs to do more than look at the direct HTML. It needs to fully analyze all the linked HTML, CSS, and even JavaScript files. Basically it needs to be as complex as a whole browser. It can't be a simple script anymore. It becomes impracticality complicated for the not maker.

[–] [email protected] 10 points 1 year ago (1 children)

This might work against very generic bots, but it won't work against specialized bots. Those wouldn't even need to parse the DOM, just recreate the HTTP requests.

[–] [email protected] 8 points 1 year ago (1 children)

Which is why you'd need something else for popular sites worth targeting directly. But there are more options than standard capta's. Replacing them isn't necessarily a bad idea.

[–] [email protected] 6 points 1 year ago (1 children)

This is what I'm worried about. As the fediverse grows and gains popularity it will undoubtedly become worth targeting. It's not hard to imagine it becoming a lucrative target for things like astroturfing, vote brigading etc bots. For centralized sites it's not hard to come up with some solutions to at least minimize the problem. But when everyone can just spin up a Lemmy, Kbin, etc instance it becomes a much, much harder problem to tackle because instances can also be ran by bot farms themselves, where they have complete control over the backend and frontend as well. That's a pretty scary scenario which I'm not sure can be "fixed". Maybe something can be done on the ActivityPub side, I don't know.

[–] [email protected] 6 points 1 year ago (1 children)

That's where simple defederation happens. It's mostly why behaww cut off lemmy.world.

[–] [email protected] 5 points 1 year ago (2 children)

What if you have 100s or 1000s of such instances? At some point you defeat the entire purpose of the federation.

[–] [email protected] 3 points 1 year ago

That's when you go to a federation white-list, instead of black-list.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

I foresee islands of instances not federated with each other, like cities without a road connecting them. There could be an island of instances that will be full of bots and illegal shit with open sign ups, and there will be other islands with stricter requirements, effectively no bots run by people who want good social media.

load more comments (5 replies)
load more comments (6 replies)
load more comments (10 replies)