20 votes

Topic deleted by author

44 comments

  1. [18]
    unknown user
    Link
    I don't think it is possible, not only for Tildes, but for any place. Spamming is not the old annoying thing it used to be, it has become some sort of warfare in this day. And even the big players...

    I don't think it is possible, not only for Tildes, but for any place. Spamming is not the old annoying thing it used to be, it has become some sort of warfare in this day. And even the big players are basically just skimming the foam off of the boiling pot that is all sorts of spam and organised manipulation. In Turkish twitter it can't handle apparently machine-generated tweets like "potato sandwich #SomeHashTag crisscross g-string pineapples" pushing that tag into trending topics.

    Honestly I hope Tildes stays the way it is now: publicly viewable, permanently invite only.

    28 votes
    1. [11]
      FZeroRacer
      Link Parent
      This is exactly how it should be. Once you open up the floodgates you start getting a lot more bad actors nowadays whose sole purpose is to spread objective bullshit. It's remarkably unfortunate,...

      This is exactly how it should be. Once you open up the floodgates you start getting a lot more bad actors nowadays whose sole purpose is to spread objective bullshit. It's remarkably unfortunate, but it's something I've seen growing across forums that can't manage their userbase at scale. As much as I keep harping on HN, they're a prime example of this occurring because the moderation team is seemingly scared of being more strict with their userbase.

      9 votes
      1. [7]
        Comment deleted by author
        Link Parent
        1. Amarok
          Link Parent
          This is likely to happen. It works for metafilter, it works for many private trackers, it's a proven method. Plus, I do like the indignation of a crowd showing up and seeing the door slammed shut...

          This is likely to happen. It works for metafilter, it works for many private trackers, it's a proven method. Plus, I do like the indignation of a crowd showing up and seeing the door slammed shut in their faces. :D

          10 votes
        2. DashEquals
          Link Parent
          Another idea is something that many Mastodon instances are using: application-only entry. If you have to apply for entry, most low level spammers will get left out, while those that get approved...

          Another idea is something that many Mastodon instances are using: application-only entry. If you have to apply for entry, most low level spammers will get left out, while those that get approved will get banned quickly. For a legitimate user, on the other hand, applying wouldn't be too much of a hassle.

          4 votes
        3. [4]
          Nitta
          Link Parent
          If every 5th account is a spam one, then opening registration for 1000 accounts will bring 200 spammer ones in. What's typically done after that? Is the benefit from letting let's say 400 shy...

          If every 5th account is a spam one, then opening registration for 1000 accounts will bring 200 spammer ones in. What's typically done after that? Is the benefit from letting let's say 400 shy people (who wouldn't get invites otherwise) in still justifying the ingress of 200 spammers? I hope I don't misunderstand this all too much.

          3 votes
          1. [3]
            Amarok
            Link Parent
            The way Tildes maps the invite tree, finding any single one of these spammers is going to expose all of them, and the users, codes, and links used to bring them in, which can then all be vetted by...

            The way Tildes maps the invite tree, finding any single one of these spammers is going to expose all of them, and the users, codes, and links used to bring them in, which can then all be vetted by the admins. The only way for a spammer to avoid this is to avoid spamming, or to spam in such a way that no one can tell they are spamming, in which case I don't see it as a problem. The rules on clearly labeling self promotion will also help with this.

            Most spam is coming from artificial stupids, and those simplistic engines only work on places with no quality control or reputation or consequences attached to the user accounts (like reddit). Tildes isn't one of those places. As for humans who are being paid to spam, they'll have to learn how to spam without being noticed, which is kinda the opposite of the purpose of spam. The only real option they have here is 'honesty in promotion' which means clearly labeling their content as such. Failure to do so will bring the hammer down.

            It's going to be interesting watching spammers break like waves on this system, which is something they've never encountered before, designed to take away all of their power. Spammers are going to have to be very, very clever here - and I doubt most of them are, or they'd be finding a more profitable and productive use of their mental faculties than working for some click-farm.

            Spam is not hard to beat. It's just that no one ever really tries.

            3 votes
            1. [2]
              Wes
              Link Parent
              All of this assumes the existence of an invite tree, though. I think realistically Tildes will eventually be open to registration, and traditional spam-fighting methods will be necessary.

              All of this assumes the existence of an invite tree, though. I think realistically Tildes will eventually be open to registration, and traditional spam-fighting methods will be necessary.

              1 vote
              1. Amarok
                Link Parent
                Not exactly traditional, by then the trust system should be watching how accounts behave - and this goes beyond just what you post and say and vote on and what reputation is earned. It'll also be...

                Not exactly traditional, by then the trust system should be watching how accounts behave - and this goes beyond just what you post and say and vote on and what reputation is earned. It'll also be watching ip addresses, frequently posted/spammed sites, copypasta in submissions and comments, and probably a whole pile of other criteria we haven't even thought up yet.

                1 vote
      2. [4]
        UntouchedWagons
        Link Parent
        But what would prevent a bad actor from getting an account, inviting 5 other bad actors and they each invite 5 bad actors etc...

        But what would prevent a bad actor from getting an account, inviting 5 other bad actors and they each invite 5 bad actors etc...

        1 vote
        1. DrStone
          Link Parent
          While hidden to us end users, the invitation relationships are tracked and visible to Tildes admin. When a user is found to be a bad actor, it's easy to scrutinize the full "family tree" the user...

          While hidden to us end users, the invitation relationships are tracked and visible to Tildes admin. When a user is found to be a bad actor, it's easy to scrutinize the full "family tree" the user belongs to and, if necessary, kill the entire thing (or, less severe, prevent any of them from inviting)

          17 votes
        2. [2]
          cfabbro
          (edited )
          Link Parent
          Yeah, as @Tau_Zero said, "Invited by" used to be publicly visible but was hidden due to privacy concerns, however it's still tracked internally. So, while there is nothing stopping bad actors from...

          Yeah, as @Tau_Zero said, "Invited by" used to be publicly visible but was hidden due to privacy concerns, however it's still tracked internally. So, while there is nothing stopping bad actors from doing that... there is also nothing stopping Deimos from chopping the invite trees down whenever he discovers a rotten one.

          And also worth keeping in mind is that Deimos was the anti-evil engineer at reddit for quite some time, so he knows what he is doing when it comes to detecting bad faith actors and spam networks.

          7 votes
          1. Amarok
            Link Parent
            He's still the anti-evil engineer. He just went freelance. ;)

            He's still the anti-evil engineer. He just went freelance. ;)

            4 votes
    2. Hypersapien
      Link Parent
      Metafilter charges a one-time $5 fee to sign up. You can read but not post without signing up. That tends to keep the bots out.

      Metafilter charges a one-time $5 fee to sign up. You can read but not post without signing up. That tends to keep the bots out.

      1 vote
    3. [5]
      NaraVara
      Link Parent
      Eventually that'll break down too. Once a patient spammer gets in they can slowly bring more and more spammers in. Who knows if it's actually worth it to be a patient spammer though. Their whole...

      Honestly I hope Tildes stays the way it is now: publicly viewable, permanently invite only.

      Eventually that'll break down too. Once a patient spammer gets in they can slowly bring more and more spammers in.

      Who knows if it's actually worth it to be a patient spammer though. Their whole business model is based on a shotgun approach.

      1. [3]
        unknown user
        Link Parent
        This way it is quite easy to take them down, tho. We know who brought who, and who creates faux accounts for ill purposes. If we make sure it does not grow out of hand (i.e. not too fast), then we...

        This way it is quite easy to take them down, tho. We know who brought who, and who creates faux accounts for ill purposes. If we make sure it does not grow out of hand (i.e. not too fast), then we can rather easily deal with it. Whereas with public registration people come from nowhere and everywhere, and not data is there to link one to another.

        8 votes
        1. [2]
          NaraVara
          Link Parent
          Yeah I didn't realize when I posted that Deimos can track the whole "family tree" of each member. That seems like a good way to do forensics on brigading. It does seem like a lot of work though,...

          Yeah I didn't realize when I posted that Deimos can track the whole "family tree" of each member. That seems like a good way to do forensics on brigading.

          It does seem like a lot of work though, so I wonder how it can scale.

          4 votes
          1. cfabbro
            (edited )
            Link Parent
            It's significantly less work and easier to detect than when there is no obvious connections between accounts, like on reddit. And on reddit a user can just create a new account immediately after...

            It does seem like a lot of work though, so I wonder how it can scale.

            It's significantly less work and easier to detect than when there is no obvious connections between accounts, like on reddit. And on reddit a user can just create a new account immediately after they are banned, but thanks to invite only here, bans actually have teeth and it takes far more effort and requires subterfuge to rejoin the community.

            5 votes
      2. hamstergeddon
        Link Parent
        With invite-only comes a lower (and hopefully more active?) population on the site, which means less appeal to spammers. I think the trick would be to find a sweet spot where the population is low...

        With invite-only comes a lower (and hopefully more active?) population on the site, which means less appeal to spammers. I think the trick would be to find a sweet spot where the population is low enough to not appeal to spammers, but high enough to maintain a healthy community.

        You outright cannot keep spammers out, they will find a way in. But you can mitigate their impact and how much the site appeals to them.

        4 votes
  2. [16]
    lionirdeadman
    Link
    From my knowledge it can't look at browser history unless through your google account.

    Right now google owned recaptcha literally looks at your browser history, including your google account, to determine whether or not you are human.

    From my knowledge it can't look at browser history unless through your google account.

    8 votes
    1. [9]
      Adys
      Link Parent
      Yeah it can't. I'm not sure where this is coming from. Google's Recaptcha is probably the better solutions out there in terms of stopping spam on any public forum, but it is problematic for other...

      Yeah it can't. I'm not sure where this is coming from. Google's Recaptcha is probably the better solutions out there in terms of stopping spam on any public forum, but it is problematic for other reasons such as the false positives with Tor. It's really not that bad privacy wise, but people freak out because the results of the captchas benefit Google. I think Google should release those results for the public but we don't live in that world right now.

      I kinda wish Cloudflare would do an antispam solution, they have a lot of the tools they need to do that.

      11 votes
      1. [7]
        Comment deleted by author
        Link Parent
        1. [5]
          kfwyre
          Link Parent
          Can confirm. I also suspect that it's biased against non-Chrome browsers independent of being logged in to a Google account. I use Firefox with some privacy addons as my default browser, and I...

          Can confirm. I also suspect that it's biased against non-Chrome browsers independent of being logged in to a Google account.

          I use Firefox with some privacy addons as my default browser, and I will get some ReCaptchas that simply will not let me through. I'll spend a good minute clicking stairs, then cars, then second-guessing what counts as a "storefront" based on the limited view from a tiny, grainy thumbnail, and then it will simply fail and restart. I can do this again and again to no avail. Even if I carefully perform whatever tasks it demands to perfection each and every time, it simply will not go through. I suspect it has me in an "unwinnable" state based on my configuration and whatever it deems to be unacceptable about it. Probably Firefox.

          Because if I switch over to Chromium it'll let me through despite having a nearly identical setup on that browser. Works every time, to the point that I keep Chromium installed not because I use it regularly but because I need it around to be able to get into a few of my reCaptcha-walled accounts.

          9 votes
          1. [3]
            3_3_2_LA
            Link Parent
            I use this extension and it has worked well for me. It uses voice dictation to decode the audio file and solves the audio challenge: Buster: Captcha Solver for Humans

            I use this extension and it has worked well for me. It uses voice dictation to decode the audio file and solves the audio challenge: Buster: Captcha Solver for Humans

            3 votes
            1. [2]
              Soptik
              Link Parent
              Once you encounter voice recaptcha, you can get through it. I've never experienced voice recaptcha that made you fill more than one captchas. On the other hand, if google doesn't like you (what's...

              Once you encounter voice recaptcha, you can get through it. I've never experienced voice recaptcha that made you fill more than one captchas. On the other hand, if google doesn't like you (what's this weird browser that has no google cookies, blocks fingerprinting, says it's chrome on windows (while it lacks chrome features) and blocks analytics scripts?), the captcha simply doesn't have voice version. If you click on the voice button, it simply says that this computer might be sending automated queries and to try that later.

              Today, every time I encounter recaptcha, I first check if it offers me voice captcha. If it doesn't, there's no point trying to solve it.

              Anyway this extension looks really good! Thank you for the link. Here's the extension in firefox store.

              4 votes
              1. cfabbro
                (edited )
                Link Parent
                God help you if you use a VPN with a shared IP too. If you do, recaptcha is annoying as hell, often requiring multiple solves before it finally accepts you're human, and it often shows up as a...

                what's this weird browser that has no google cookies, blocks fingerprinting, says it's chrome on windows (while it lacks chrome features) and blocks analytics scripts?

                God help you if you use a VPN with a shared IP too. If you do, recaptcha is annoying as hell, often requiring multiple solves before it finally accepts you're human, and it often shows up as a barrier on even the most common of actions... repeatedly. :/

                I am definitely going to check out that Firefox version and see if it works, so thanks for that.

                4 votes
          2. brighteyes720
            Link Parent
            One thing I feel works best is don't think too much. Go for the first instinct, generally that let's you go through.

            One thing I feel works best is don't think too much. Go for the first instinct, generally that let's you go through.

            2 votes
        2. lionirdeadman
          Link Parent
          As a Firefox and Gnome web user, I can confirm this too but it would only be on signup theoretically so it wouldn't be that bad, you'd only need to go through hell once.

          As a Firefox and Gnome web user, I can confirm this too but it would only be on signup theoretically so it wouldn't be that bad, you'd only need to go through hell once.

          2 votes
      2. zaarn
        Link Parent
        Recaptcha isn't that effective anymore. I have the Firefox Addon "Buster" installed, which solves them automatically. It has been working without any issue (other than the occasional badly filled...

        Recaptcha isn't that effective anymore. I have the Firefox Addon "Buster" installed, which solves them automatically. It has been working without any issue (other than the occasional badly filled out captcha, which is always resolved by trying again) since start of this year.

        4 votes
      3. lionirdeadman
        Link Parent
        Honestly, I think Google and Cloudflare are terrible for the web because of how much power it gives them on what is supposed to be a free-for-fall. They control and have way too much information...

        Honestly, I think Google and Cloudflare are terrible for the web because of how much power it gives them on what is supposed to be a free-for-fall. They control and have way too much information on everyone and it's kinda disturbing.

        3 votes
    2. [4]
      Wes
      Link Parent
      I'm pretty sure you're right. There's no mechanism that I know of that reCaptcha would be able to access your browser history. Even the old tricks like making visited links to see if they're...

      I'm pretty sure you're right. There's no mechanism that I know of that reCaptcha would be able to access your browser history. Even the old tricks like making visited links to see if they're purple have been patched out by browsers.

      Google themselves might have access to that information through Chrome's session sharing (eg. synced tabs), but not as a JS-level feature.

      5 votes
      1. [2]
        Diff
        Link Parent
        They do check your Google account though. I'm pretty sure I remember Google advertising that fact on one of their pages for Recaptcha. And if it's asking Google whether the JS-visible factors are...

        They do check your Google account though. I'm pretty sure I remember Google advertising that fact on one of their pages for Recaptcha. And if it's asking Google whether the JS-visible factors are suspicious, no reason your browsing history and other account data can't factor in on the other JS-invisible end.

        5 votes
        1. lionirdeadman
          Link Parent
          Yup, but then that's not reCaptcha being privacy-invasive, you already gave that information to Google by using your Google account in Chrome, that's the point.

          Yup, but then that's not reCaptcha being privacy-invasive, you already gave that information to Google by using your Google account in Chrome, that's the point.

          4 votes
      2. lionirdeadman
        Link Parent
        Yeah, through Chrome's google account feature it could be used but really, at that point they already had the information so it's not any more privacy-invading than it was when you decided to sync...

        Yeah, through Chrome's google account feature it could be used but really, at that point they already had the information so it's not any more privacy-invading than it was when you decided to sync your browser information with them.

        2 votes
    3. [2]
      teaearlgraycold
      Link Parent
      If you browse the web signed into Chrome then Google knows your browsing history. I'm sure they look at that data during the reCaptcha.

      If you browse the web signed into Chrome then Google knows your browsing history. I'm sure they look at that data during the reCaptcha.

      3 votes
      1. lionirdeadman
        Link Parent
        Then your information was stored in the google account, it doesn't actually look at the browsing history of the browser, it just happens that both are the same because you gave them that...

        Then your information was stored in the google account, it doesn't actually look at the browsing history of the browser, it just happens that both are the same because you gave them that information by being logged into your google account in chrome.

        2 votes
  3. [6]
    Eva
    Link
    Javascript isn't by-default a negative thing; regardless, Tildes isn't likely to need complex anti-spam features for the foreseeable future, even after going "public." There's not a large enough...

    Javascript isn't by-default a negative thing; regardless, Tildes isn't likely to need complex anti-spam features for the foreseeable future, even after going "public."

    There's not a large enough user-base for it to be worth writing custom scripts for spamming with, and it's not using software as a base that already has said scripts written for it. Beyond that, the trust system (when implemented) and standard rate-limiting should be fine.

    6 votes
    1. [6]
      Comment deleted by author
      Link Parent
      1. [2]
        mat
        Link Parent
        It's not perfect by any means, especially for accessibility, but it's a long way from one of the worst things to happen to the internet. I used to run a moderately popular site which was slowly...

        ReCAPTCHA is one of the worst things to happen to the internet.

        It's not perfect by any means, especially for accessibility, but it's a long way from one of the worst things to happen to the internet. I used to run a moderately popular site which was slowly being buried in spam, despite my best efforts otherwise, including using things like textCaptcha and writing my own bot-detection stuff. Then I installed reCaptcha and the spam ended. Almost completely, overnight. Same for probably millions of other sites.

        7 votes
        1. Wes
          Link Parent
          Can confirm. It's one of the only anti-spam techniques I've found that works, and works well. If I don't use it on a contact form, that form receives thousands of spam messages and gets my server...

          Same for probably millions of other sites.

          Can confirm. It's one of the only anti-spam techniques I've found that works, and works well. If I don't use it on a contact form, that form receives thousands of spam messages and gets my server blocked by blacklists.

          2 votes
      2. [2]
        NeoTheFox
        Link Parent
        I also have an issue with being used to train the AI for Google. I swear, some times I get extra time for the ReCAPTCHA, I hate when it does "select the X on pictures", but instead of having that...

        I also have an issue with being used to train the AI for Google. I swear, some times I get extra time for the ReCAPTCHA, I hate when it does "select the X on pictures", but instead of having that grid of squares it just fades the one I clicked on and shows another, very slowly. It's really irritating.
        There had been an interesting idea floating around - just do away with any human/non-human verification, and instead make a captcha-like crypto solver that would load your CPU really badly for a few seconds. This would mean a minor stutter for users on their PCs, but it would significantly drive up the expenses for people trying to spam. You can also make the solution harder exponentially if you send multiple requests from the same IP. It's not a "green" solution, but it should work.

        3 votes
        1. Amarok
          Link Parent
          Heh, that's an interesting idea I've never seen before. Wonder if we could figure out how to make those cpu cycles do something productive too.

          Heh, that's an interesting idea I've never seen before. Wonder if we could figure out how to make those cpu cycles do something productive too.

          4 votes
      3. Eva
        Link Parent
        I'm aware of what ReCAPTCHA is and why it's disliked - I'm no fan myself (and as a uMatrix user, certainly aware of all of the ways it breaks)! But I was specifically referring to a claim in the...

        I'm aware of what ReCAPTCHA is and why it's disliked - I'm no fan myself (and as a uMatrix user, certainly aware of all of the ways it breaks)! But I was specifically referring to a claim in the original post, note.

        2 votes
  4. [4]
    Bullmaestro
    Link
    I don't think there's a simple solution other than to keep Tildes invite-only and keep it as an ever growing private community. The benefit of this approach is that it's easy to remove spam. If...

    I don't think there's a simple solution other than to keep Tildes invite-only and keep it as an ever growing private community. The benefit of this approach is that it's easy to remove spam.

    If you add ReCAPTCHA support, bots will evolve to crack its challenges. In fact, this has already been possible since 2017 which renders Google's technology obsolete.

    Require phone verification like with Dota 2 ranked matchmaking and this will lead to Tildes holding more personal information on the end user which is a privacy concern for those seeking a quality alternative to Reddit. This can also be easily bypassed through the use of burner phones.

    Even doing a SomethingAwful or a Steemit and paywalling registration in some way won't get rid of spammers. It may give them a buy in requirement but it sure doesn't stop them from causing havoc. Just look at the sheer amount of hackers and botters present in premium games like Overwatch and WoW - where a high buy-in price or even a subscription fee does not act as a deterrent.

    Look on the bright side, let's say that hypothetically Reddit implodes within the next few weeks, perhaps through the admins shutting down a popular subreddit or by forcing their loathed redesign upon the community (much like how Digg fell.) Would you really want an exodus of Redditors magnitudes higher than the entire Tildes community flooding into here and driving down the quality of any discussions?

    5 votes
    1. [3]
      cfabbro
      (edited )
      Link Parent
      For the record I have actually shut down invite threads on /r/tildes before when that happened and will likely continue to keep doing that. I don't want people coming here for the wrong reasons or...

      Look on the bright side, let's say that hypothetically Reddit implodes within the next few weeks, perhaps through the admins shutting down a popular subreddit or by forcing their loathed redesign upon the community (much like how Digg fell.) Would you really want an exodus of Redditors magnitudes higher than the entire Tildes community flooding into here and driving down the quality of any discussions?

      For the record I have actually shut down invite threads on /r/tildes before when that happened and will likely continue to keep doing that. I don't want people coming here for the wrong reasons or with the wrong impression of the site either. This is not a reddit replacement and many of the quarantined and banned subs (and the content posted in them) would not be welcome here either.

      And if/when Tildes does go open registration, it's probably not beyond the realm of possibility that Deimos will temporarily shut down registration here too (similar to a torrent tracker or Metafilter) if/when another mass exodus from another site happens in order for Tildes to ride out the storm.

      9 votes
      1. MetArtScroll
        Link Parent
        I would add that even Voat shut down open registration during the recent exodus of certain banned subreddits.

        I would add that even Voat shut down open registration during the recent exodus of certain banned subreddits.

        4 votes
      2. Bullmaestro
        Link Parent
        And Deimos has very good reason to keep the site locked down. Just look at what happened to Voat after racist communities were purged from Reddit. The site pretty much became another Stormfront.

        This is not a reddit replacement and many of the quarantined and banned subs (and the content posted in them) would not be welcome here either.

        And Deimos has very good reason to keep the site locked down. Just look at what happened to Voat after racist communities were purged from Reddit. The site pretty much became another Stormfront.

        1 vote