A reply to this:
Vod, do you know the actual purpose of the CAPTCHA? Everybody seems to assume that it’s there to keep out spambots.[1] My first hunch is that theymos has a problem with bruteforcing of luser passwords, resulting in stolen accounts. You may perhaps know for certain, not as a matter of assumptions or speculation.
[...]
I would understand if theymos desires that such information not be disclosed. But I ask because I have wanted to suggest some alternative solutions; and it’s difficult to know whether my ideas are even worth mentioning.
...devolved to this:
Since multiple users can be legitimately logged in from the same IP address, banning IP addresses for failed login attempts is also not a solution to bruteforcing. If theymos did that, then it would be trivial for an attacker to effectually ban Tor users from login to bitcointalk.org by deliberately making many bad login attempts from every exit node. Thus, I infer that theymos does not do this; and I assume the timeout you describe somehow works with cookies, or the like. Granted, I could be wrong there. It may simply be that nobody evil has thus far bothered to get Tor exits banned from attempted login
I guess you should also reread what I wrote
Since you jumped at my assumption of temporarily (note that) banning an IP address but you chose to completely ignore the fact that you can't log in again after a failed attempt for 60 seconds, if I'm not mistaken. I don't know how it is now with reCaptcha employed (since it takes longer than 60 seconds to pass anyway), but before it was introduced, you had to wait for some time if you entered incorrect credentials. At least, that's what I remember and that might not have had to do anything with your IP address at all, e.g. access to a specific account might have been restricted temporarily (but things might have changed since then, of course)
You incorrectly assume that a spammer must log in his sibyl accounts from the same IP address. Spammers often have many IP addresses; and indeed, it would be easy to do away with account farmers if they always logged their zillions of accounts in and out from the same IP address. Also, multiple accounts can be logged in from the same IP address. Either way, there is no reason for a spambot to ever log out
I'd rather say it is your incorrect assumption that spammers have multiple IP addresses (on the order of dozens, at least). Some of them have but certainly not the majority
Are you speculating, or do you have certain knowledge? I asked a question, because
I don’t know. I nominally addressed my question to Vod, because I’ve seen him deeply involved in discussions of combatting abuse; and I inferred that perhaps, he may know something which I do not. And I keep asking, because three weeks ago I wound up chasing my tail trying to work out a viable means of public-key auth login—which would help solve the problem of bruteforce login attempts, but would do nothing against spambots
I don't quite understand what part of my post you refer to as speculating. But I'm utterly curious what makes you think that all spammers (well, most of them) have simultaneous access to multiple IP addresses (if that was your point). Anyway, why don't you just ask theymos directly (via PM or elsewise)? I guess he is the only one who can give you precise answers as to his intents and purposes. But since you are still sticking around here, I arrive at a conclusion that he is not likely to respond to your queries. So who is wasting whose time actually?
But never mind. When you are a newbie you can't post more than once in a while (like 6 minutes or so), and if you try you will get a warning that clearly states that your IP address is being limited, i.e. not your session or whatever. What else do you want to know?