@resist1984 Is there a better option for CAPTCHAs?
@tobtobxx Your premise in your question assumes there's a problem to solve. Can you describe the problem?
@resist1984 How would you defend against let's say spam bots creating a lot of new resource intensive git repos on a public git server? (The users are created by humans, just the repos are created by bots.)
@tobtobxx in principle there's no need for a web UI for github. repos can be serviced via SSH and to date there's been no need to CAPTCHA SSH users. Github chooses to make some functions exclusively available in their web UI (e.g. PRs), but that's their choice. And it's that choice by which their perceived need for CAPTCHA arises.
@tobtobxx vandalism still happens, ssh or not, but this can be controlled by way of access controls. Not to mention cleanup tools. E.g. if your inbox gets spammed the email firewalls isn't your only defense. There is SpamAssassin, and the possibility to extend Spamassassin's role beyond email.
@resist1984 I was thinking about @codeberg's situation.
codeberg.org is a small nonprofit offering services similar to GitHub but with a foss backend (gitea fork).
They were recently impacted by an attack described in my previous post.
They ended up blocking access via tor, which they are not happy to do, but rather forced.
I guess we live in a cruel world. Those trying to do things right get attacked and ripped🤷🏼♂️.
To be precise we never did and do not generally block tor or users from the tor network. We just do not allow account setup with single-use/throwaway email provider addresses anymore that have frequently been used by attackers. Also, IPs engaging in attacks are banned for some hours.
Codeberg is still accessible via tor.
@codeberg @tobtobxx I'm glad Tor was not permanently blocked -- that would have been an overly crude attempt at a remedy. Restricting access to the kinds of email accounts that require mobile ph# reg. is also overly crude, and I hope that would be temporary until the server gets smarter about detecting & reacting to attack. Perhaps access controls need to be more refined.
Is it possible at all to solve a captcha an not been treated as a robot ?
@wend I don't follow. If you're presented with a CAPTCHA, then you've already been treated as a robot whether to solve it or not. From there, I personally suggest /not/ solving CAPTCHAs b/c that supports the CAPTCHA pushers. When you dance for them you give them power.
Yes. And it makes me feel stupid.
Also, so I understand, Google's CAPTCHA also tries to detect if you've signed into, or have, a Google account & connect the two - tracking!
@Horizon_Innovations indeed it does.. it collects any google cookies that are still active.
@resist1984 I refuse to be a free 'mechanical turk' for google's image classifier training.