Look, we can debate the proper and private way to do Captchas all day, but if we
remove the existing implementation we will be plunged into a world of hurt. I
run tucson.social - a tiny instance with barely any users and I find myself
really ticked off at other Admin’s abdication of duty when it comes to engaging
with the developers. For all the Fediverse discussion on this, where are the
github issue comments? Where is our attempt to convince the devs in this. No,
seriously WHERE ARE THEY? Oh, you think that just because an “Issue” exists to
bring back Captchas is the best you can do? NO it is not the best we can do, we
need to be applying some pressure to the developers here and that requires
EVERYONE to do their part. The Devs can’t make Lemmy an awesome place for us if
us admins refuse to meaningfully engage with the project and provide feedback on
crucial things like this. So are you an admin? If so, we need more comments
here: https://github.com/LemmyNet/lemmy/issues/3200
[https://github.com/LemmyNet/lemmy/issues/3200] We need to make it VERY clear
that Captcha is required before v0.18’s release. Not after when we’ll all be
scrambling… EDIT: To be clear I’m talking to all instance admins, not just
Beehaw’s. UPDATE: Our voices were heard!
https://github.com/LemmyNet/lemmy/issues/3200#issuecomment-1600505757
[https://github.com/LemmyNet/lemmy/issues/3200#issuecomment-1600505757] The
important part was that this was a decision to re-implement the old (if
imperfect) solution in time for the upcoming release. mCaptcha and better techs
are indeed the better solution, but at least we won’t make ourselves more
vulnerable at this critical juncture.
Lemmy issue #2922 is where it was removed 2 weeks ago due to its effectiveness being limited, Lemmy issue #3200 is the issue where it is suggested to have it return. Repo maintainers are somewhat perceptive to reverting it but would be more willing to accept a full implementation of graphical CAPTCHA over the previous version.
I’m keeping my own opinions of it to this comment… The spam wave is troublesome and Captcha will slow down a little bit. While making noise about it is good, making it everyone’s responsibility to peer pressure the developers into doing it seems like crossing the line to me.
Imho it would be better if people either held off on migration until it’s implemented or have a fork of it that contains captcha features where there aren’t existing protections (such as manual vetting).
I get that these things make the project better and viable but the repo maintainers aren’t magicians and we should overall curb open-source entitlement to a reasonable level.
I have an instance that I created just for testing the software. It’s not being used. In fact, since it’s for testing only, it’s not even federated (federation turned off) because I don’t want to inflict my testing on anyone else. Also, the URL is not published anywhere. Since it’s just for testing, I had it with open registrations. A couple of days ago I woke up to find twenty new accounts. Somehow spammers got to it (again, no federation, URL unpublished anywhere). My theory is that since it was lemmy.<domain> that they were trying that kind of subdomain randomly. Anyway, manually removing 20 accounts from Lemmy is a pain. Moderation tools in Lemmy are severely lacking yet. I mean, it’s alpha software, we know it’s still a work in progress, so some issues like this are to be expected. But my point is that they shouldn’t be removing the very few tools to prevent spammers that instance admins have.
I agree with that. Things change quickly too, what was not a problem at all 2 weeks ago (when the CAPTCHA removal PR was put in) is a big problem now as the Lemmy Threadiverse is more than 10x its previous size.
I wouldn’t put it past people probing every domain for lemmy using a dictionary attack and TLDs. (lemmyhub.site, lemmyclub.xyz, lemmystation.pictures, etc.)
I’m keeping my own opinions of it to this comment… The spam wave is troublesome and Captcha will slow down a little bit. While making noise about it is good, making it everyone’s responsibility to peer pressure the developers into doing it seems like crossing the line to me.
Imho it would be better if people either held off on migration until it’s implemented or have a fork of it that contains captcha features where there aren’t existing protections (such as manual vetting).
I get that these things make the project better and viable but the repo maintainers aren’t magicians and we should overall curb open-source entitlement to a reasonable level.
I have an instance that I created just for testing the software. It’s not being used. In fact, since it’s for testing only, it’s not even federated (federation turned off) because I don’t want to inflict my testing on anyone else. Also, the URL is not published anywhere. Since it’s just for testing, I had it with open registrations. A couple of days ago I woke up to find twenty new accounts. Somehow spammers got to it (again, no federation, URL unpublished anywhere). My theory is that since it was lemmy.<domain> that they were trying that kind of subdomain randomly. Anyway, manually removing 20 accounts from Lemmy is a pain. Moderation tools in Lemmy are severely lacking yet. I mean, it’s alpha software, we know it’s still a work in progress, so some issues like this are to be expected. But my point is that they shouldn’t be removing the very few tools to prevent spammers that instance admins have.
I agree with that. Things change quickly too, what was not a problem at all 2 weeks ago (when the CAPTCHA removal PR was put in) is a big problem now as the Lemmy Threadiverse is more than 10x its previous size.
I wouldn’t put it past people probing every domain for lemmy using a dictionary attack and TLDs. (lemmyhub.site, lemmyclub.xyz, lemmystation.pictures, etc.)