A reply to this:
Vod, do you know the actual purpose of the CAPTCHA? Everybody seems to assume that its there to keep out spambots.[1] My first hunch is that theymos has a problem with bruteforcing of luser passwords, resulting in stolen accounts. You may perhaps know for certain, not as a matter of assumptions or speculation.
[...]
I would understand if theymos desires that such information not be disclosed. But I ask because I have wanted to suggest some alternative solutions; and its difficult to know whether my ideas are even worth mentioning.
...devolved to this:
Since multiple users can be legitimately logged in from the same IP address, banning IP addresses for failed login attempts is also not a solution to bruteforcing. If theymos did that, then it would be trivial for an attacker to effectually ban Tor users from login to bitcointalk.org by deliberately making many bad login attempts from every exit node. Thus, I infer that theymos does not do this; and I assume the timeout you describe somehow works with cookies, or the like. Granted, I could be wrong there. It may simply be that nobody evil has thus far bothered to get Tor exits banned from attempted login
I guess you should also reread what I wrote
Since you jumped at my assumption of temporarily (note that) banning an IP address but you chose to completely ignore the fact that you can't log in again after a failed attempt for 60 seconds, if I'm not mistaken. I don't know how it is now with reCaptcha employed (since it takes longer than 60 seconds to pass anyway), but before it was introduced, you had to wait for some time if you entered incorrect credentials. At least, that's what I remember and that might not have had to do anything with your IP address at all, e.g. access to a specific account might have been restricted temporarily (but things might have changed since then, of course)
You incorrectly assume that a spammer must log in his sibyl accounts from the same IP address. Spammers often have many IP addresses; and indeed, it would be easy to do away with account farmers if they always logged their zillions of accounts in and out from the same IP address. Also, multiple accounts can be logged in from the same IP address. Either way, there is no reason for a spambot to ever log out
I'd rather say it is your incorrect assumption that spammers have multiple IP addresses (on the order of dozens, at least). Some of them have but certainly not the majority
Are you speculating, or do you have certain knowledge? I asked a question, because
I dont know. I nominally addressed my question to Vod, because Ive seen him deeply involved in discussions of combatting abuse; and I inferred that perhaps, he may know something which I do not. And I keep asking, because three weeks ago I wound up chasing my tail trying to work out a viable means of public-key auth loginwhich would help solve the problem of bruteforce login attempts, but would do nothing against spambots.[1]
I set forth a query clearly in the interrogative; and I laid out my reasoning for an educated hypothesis. Whereas my question can only be answered by somebody who does actually know the precise nature of the problem which theymos ameliorated with the login CAPTCHA. If you do know, please say; but if you dont, then I can tell you, your guess isnt nearly as good as mine is.
I have been repeatedly asking all month whether my hypothesis about the login CAPTCHA is correct. There are exactly three valid answers: Yes, no, and no commentthat is sensitive operational security information which we will not tell to someone we dont know and trust. Any of those would be fine
from someone who actually knows. Whereas if youre simply hashing out your own hypothesis, then this whole discussion is a waste of my time.
1. Any spambot which could log in and set up a client certificate for future logins, could also save a cookie for staying logged in. Duh. But Id like to know for certain before I pour more time into the sorry state of public-key auth on the Web. Browser vendors deprecated or even removed while I wasnt looking. Only a minuscule fraction of users would be able to manually generate TLS certificate requests, or use alternatives such as SSH tunnels, OpenVPN, etc., etc. I spent hours trying to figure out an administrator-friendly and user-friendly solution, with the goal of making a suggestion which might actually be implemented. Then I realized, I shouldnt bother trying to otherwise resolve the CAPTCHAs purpose when I do not know its purpose with any degree of certainty.
Forums can use the two and the members could select which option they like to log with it.
I remember such feature was used in faucets years ago.
Well, at least that wouldnt make things worse; but from my perspective, it wouldnt make things better, either!