I'm finding it a bit hard to follow the structure of this document so forgive me if this is what's being discussed, but wouldn't it make the most sense to block Anonymous editing from Apple Private Relay IP ranges? Once signed in, there is again a way to track the editor, and a way to deal with bad actors.
Linked page:
"We are looking for answers to the following questions: Are you seeing problems related to the current iCloud Private Relay global blocks [1] on your wiki? Do you think that it's likely that good-faith editors will be affected by blocks? While we do not know for sure, we think that this situation may grow over the next couple of years. It is possible that other browsers, such as Chrome and Firefox, could follow a similar pattern and also restrict access to IP addresses. If this happens, it will be a major change in how the internet works. What do you think, in what ways would this change affect the wikis?"
"Global blocks are technical actions performed to prevent an IP address or range of IP addresses from editing all Wikimedia wikis, for a fixed period of time or indefinitely. Global blocks disable account creation from the blocked IP by default, and can also prevent editing while logged in to an account."
Hard IP bans are the exception and used when a lot of sock puppets are involved operating from the same IP range. Soft IP blocks don't prevent logged in users from editing. On enwiki you can try to get a 12-month IP block exemption: https://en.m.wikipedia.org/wiki/Wikipedia:IP_block_exemption
My strong suspicion is that the blocking is done at a different layer.
Much easier to simply block posts/puts to certain paths from ip ranges in the ingress layer, before they ever reach the application and are authenticated.
That doesn't work because Wikipedia doesn't store your IP forever if you have an account. If they allowed what you described, then you could make a bunch of accounts with your real IP, wait 90 days for the IP you made it from to be forgotten, then vandalize with them all over VPNs, and they couldn't do anything about it other than reactively blocking each account individually.
Then grade accounts by more than one metric. I've my account for years and made plenty of edits but it's treated like some newbie account that may be a bot? Because I value my privacy?
I use Britannica for anything that isn't celebrity/pop culture based now, I thought Wikipedia had killed off "proper" dictionaries but they're going in reverse. I enjoy the irony of that.
I assume the website owner intends to want to show ads or track me for marketing or other data harvesting purchases if they try to do further verification than password + 2FA code. They are forcing CAPTCHAs because they want to make it inconvenient enough such that I disable content blockers on their website.
My decade-old account with thousands of edits and zero vandalization still get hard-blocked behind VPN. I once checked out the exemption process but felt discouraged to make a request (can’t remember why now). It’s pretty stupid.
"I cannot stress this enough, and I think it's important to frame this debate correctly when it comes to discussing these blocks. I have made somewhere around 1200 rangeblocks of webhosting providers in the last 5 weeks or so. Not one of them was targeted at a user." — [[User:Blablubbs]] in linked page
Wikipedia doesn't block to punish individuals. It blocks to protect itself. There are plenty of ways around most blocks, like simply creating an account.
> Surely they are aware that this is basically all IPs nowadays...?
There are indeed many classes of IP address which multiplex large numbers of users (mobile network exits, VPN exits, ISPs with CGNAT, some corporate web filtering systems, shared public wifi, tor, satellite ground station exits, residential proxies, ...).
However, claiming that "basically all" IPs are multiplexed is definitely wrong. A home or small office broadband line typically gets a dynamic-but-ephemerally-unique IP, same as it always did.
The effect of IPv6 on this isn't totally clear to me yet. If anything, as IPv6 deployment among ISPs increases, the trend seems to be for less multiplexing and not more.
> However, claiming that "basically all" IPs are multiplexed is definitely wrong. A home or small office broadband line typically gets a dynamic-but-ephemerally-unique IP, same as it always did.
IPs assigned to homes and small offices are still multiplexed. It's just a case of magnitude. (In other words, it's rare for a home or small office to contain just a single person.)
The policy as stated makes no sense, if they intend for it to be something like "more than 5 people per IP" they should just say so.
> The effect of IPv6 on this isn't totally clear to me yet. If anything, as IPv6 deployment among ISPs increases, the trend seems to be for less multiplexing and not more.
FWIW, every ISP I've used in the last ~10 years has delegated me an IPv6 prefix, resulting in each device in the network getting a unique IPv6 address. I've never seen any kind of NAT used in the wild for residential IPv6.
You're absolutely correct. But: Wikipedia aren't trying to ban all multiplexed IPs. Instead, they're seeking to ban the IPs that bad actors disproportionately use -- and those are the heavily multiplexed ones.
It's kind of the internet equivalent of keeping drug dealers out of your club by banning anyone who lives in a poor area. A lazy (and likely discriminatory) policy, but a simple one, and effective.
Is that true? I've worked at two ISPs and we never made an effort to make the IPs ephemeral. (OK, at the second ISP we didn't even have DHCP servers. We made everyone set up every device on their own!)
My current home broadband setup gives me the same IP address for months at a time, across router reboots. Advertisers love it, I'm sure.
That's a great point and very fairly made. For my own ISP (BT in the UK), I get a new IP on each router reboot. I understand that for some others like Virgin, the IP is very stable over long periods.
For most ISPs making IPs ephemeral is the only solution to the scarcity of IP addresses. You don't want IPs allocated to people who have turned off their routers.
That doesn't require you to deliberately assign a new IP every time the router reboots, it just requires you to be able to re-use IPs without an active DHCP lease.
In practice customers don't usually turn their routers off for very long, and many ISPs don't have an acute shortage of IPs (those that do have already moved to CGNAT), so it's pretty typical to keep your IP no matter how many times you reboot your router. If I'd leave it off for a month I'd be less sure I'd get the same IP.
> AFAIK their policy is to block IPs that "obscure individual users". Another commenter quoted:
> > Communities typically block edits from IP addresses that obscure individual users.
> Surely they are aware that this is basically all IPs nowadays...?
> If that's genuinely the policy then it should be almost equivalent to just requiring an account for all edits, so why not just do that?
With the shortage of IPv4 addresses and the lack of progression to IPv6 from many ISPs, we're likely going to see users unable to anonymously edit if they start blocking those behind a CGNAT.
The tragedy of the commons that happens when you can't establish the reputation of your visitors because regular users are indistinguishable from malicious actors when signals like IPs are intentionally obscured.
The reasoning here just seems perverse. WP wants to allow contributions by anonymous users, which seems noble. But it also realizes that it needs to be able to block some people from anonymous contribution "to protect itself".
The implementation of the blocking mechanism is IP addresses/ranges, which is imprecise (to say the least). But now you have to worry about abusive users bypassing your technical control by obscuring their IP addresses. So you block all IP ranges that implement e.g. CGNAT, VPNs, 464XLAT.
So now you're mass-blocking access to millions of people who have never shown any inkling of malicious intent due to rational technology choices by their service providers or due to a reasonable desire to protect their personal privacy.
If you're OK with blocking users in such an entirely capricious and arbitrary way, why not just insist on registration?
Not blocking anything is infeasible due to abuse, requiring registration is effectively blocking anonymous editing access for everyone. If you want anonymous editing, providing it to some is strictly better than providing it to none.
Your argument is as flawed as saying we shouldn't have email because spammers must be blocked.
>>If you want anonymous editing, providing it to some is strictly better than providing it to none.
Objectively: Not always. You're creating a tiered society. The argument is saying "Why do some people deserve freedom but not others?" It's great if you're part of the in-group, but exceedingly unjust if you're non-vandal bycatch due to the blanket bans. You can't have some democracy, it's all or none.
I'm unable to anonymously edit by default because I have T-mobile for my phone and internet services and there is a blanket ban on T-mobile IPs. This is the 3rd largest telcom in the US with about 108 million users. I'm going to assume that less than 1/10th of them are Wikipedia vandals, but a blanket ban has been put in place.
Explain how it's "good" that a random AT&T user can make an edit, but I (or another random T-mobile user) can't? Follow up, explain why making everyone who wants to edit register an account is a net bad if it's the only choice for millions of people?
It is good that a random AT&T user can edit anonymously. It is bad that you can't. The "but" clause is a trap. You should be able to edit anonymously too.
If trends continue, less people will be able to edit anonymously. This trend needs to be reversed so that as many people as possible can edit anonymously.
Actually: if your premise is that you're an open access facility, then having arbitrary treatment of different users is a really excellent way of undermining that premise.
For example, as was pointed out elsewhere on this discussion, having blocking controls that tend to create a higher bar for people without home internet access means you're discriminating against groups that can only afford a personal mobile device, or only have internet access at a library, or come from a particular national origin, etc.
If you care about anonymous editing, creating underclasses that cannot have it seems an unlikely way to further your mission. It's effectively a form of red-lining.
I don't understand what your email analogy is getting at, so I'm going to leave that alone.
That's only because they're using weak authentication. If they required users to use something like WebAuthn, the bot problems would be significantly easier to deal with.
How come? Last I checked there was a devtool to create virtual authenticators. Unless there’s a way for wikipedia to permit only certain vendors like Yubico, akin to browsers trusting certain CAs, I don’t see how one couldn’t make a bot register thousands of accounts with virtual authenticators.
True, but that would significantly increase the barrier for contributions, especially at the long tail. As always, it's a trade-off, not a black-or-white situation.
yes, but it is way to broad. hosting service ranges are blocked even though individual servers have static IPs. it is possible to get an IP unblocked, but then someone else blocks another range with that IP again. it's impossible to keep up.
the problem with accounts is that the editing history is public, making it impossible to keep even a pseudo-anonymous identity because everyone would know who i am based on what i edit.
didn't jimmy wales himself say that the editing and viewing history is sensitive personal data?
i don't mind wikipedia itself knowing my identity, just like i don't mind hackernews admins knowing who i am, but i'd like wikipedia to help me keep my identity hidden from the public.
In my experience it's extremely effective to filter IP blocks where a lot of trouble seems to come from. Services that don't scrutinize their customers very carefully tend to accumulate questionable customers.
Not gonna speak to why they're blocking Apple Private Relay, but clearly, no, they're not implying that an IP uniquely identifies an individual. In some cases, it can identify an organization, though. One of my good friends worked for Wikipedia a while back, and he claims one of the bigger problems they had was Congressional staffers edit-warring on pages, so they blocked the IP range of US Congressional offices. They weren't trying to target a single staff. They were targeting all of them.
> an IP address meaningfully identifies a single editor
I'm fairly certain that the GDPR believes an IP address is PII and imposes a bunch of fairly onerous restrictions on how network administrators are able to log and analyze them. So it doesn't seem like that ship has sailed at all. If anything it's been reinforced by actual law that it _does_ meaningfully identify someone.
The GDPR also protects your name that way too, despite the fact that it might actually identify a multitude of different people (like if you're called John Smith). It does so on the basis that it may under some circumstances be sufficient to identify you personally; same for IP address.
It is very seldom in my experience the case that legislation tells us anything at all about what is true about technology.
There are malicious editors out there. For example, someone repeatedly edited the Kubernetes page on Wikipedia to make some changes that were not true and contradicted by the reference that was used. This is just one example.
There is a very real problem, even in technical circles, of wrong information being put on there.
In this example, it was always by an anonymous account.
How does the Wikimedia foundation attempt to handle this? I'm not suggesting I have ideas on what to do. But, this is a real debatable question they have to wrestle with.
Wikipedia is dominated not by the truth, but by two things:
- people who treat articles like their own fiefdoms and have obsessively memorized every sentence of policy and can drown an edit they don't like with subjective assertions that an edit violates a particular policy
- no-life basement neckbeards who do thousands and thousands of edits on subjects they couldn't possibly have knowledge or experience on and respond instantly to edits to "their" pages
Further, in disputes, it essentially comes down to who the rest of the community likes more. The ultimate ad hominem is that some random IP address vs an established 'wikipedian', even if the 'wikipedian' is full of shit? The wikipedian wins.
The page for AA is a great example. There's a dude who is completely unhinged and suppresses any negative information about AA, such as the problems with abuse, predation, and sexual assault. Or studies showing poor efficacy compared to science-based treatment.
I posted a HN comment as such and was more than a little surprised to come across a reply made barely a few hours later, apparently from that dude, accusing me of being someone he'd had a tiff with on wikipedia.
You look at the edit history and his behavior is clearly gatekeeping and enforcing a particular viewpoint. Yet, curiously, he's never been subject to any censure?
100% this, same as you get with reddit moderators and those types of people. There are a lot of people there with agendas who use "the rules" to kill any opinions they don't like.
Look up anything even mildly controversial, e.g Gender, Marxism, Capitalism, Globalism, Election Laws, Freedom of Speech, Racism, and then compare 10 years ago to today, using archive.org or by looking at edit history. It feels like a parallel universe, as if history was totally re-written.
>How does the Wikimedia foundation attempt to handle this?
Add a time cost to accounts that is independent from IP or real identity. I gave a suggestion to factoring the product of primes, basically breaking crypto with far fewer bits then would ever be used in a real system to tune to time to a desired target. Another option would be to require a security key for anonymous editing of hot articles then ban the key if needed, which would essentially be a fairly anonymous proxy for money. Now attackers need to spend a key each ban. Although unlike just doing it purely for Wikipedia that might result in a market of "used, banned" keys which isn't really great. But they shouldn't do it via IP, they absolutely could do better.
Where does this end? Like if the end goal is to block every IP that has a bad reputation score, why not go all in and block every Tor exit IP and every popular VPN exit node too? If you're gonna do something, do it right.
That said, there's nothing stopping me hacking a residential router to make my (anonymous) Wikipedia edits.
It not going to end. AI will make bots indistinguishable from humans, it's already a problem, and will become a major challenge for online services, the internet, all digital content in general. Proof of Human is something that has to be solved sooner or later. The solution is already being explored, governments will have to issue citizens ID-Tokens on some new blockchain, specifically made for that purpose. That way, all content will be signed, and can be verified as genuine.
Complete anonymity will be a thing of the past, but I don't think there's really any other way.
A lot of smaller sites based on wiki-technology do that already. The only reason wikipedia can stay (semi) open is because it has enough people to do regular patrols.
As usual it's a small misbehaving minority in the world who make it difficult to Have Nice Things.
While we're talking about Private Relay: with it enabled (on an iPhone), Google won't show me search suggestions. Both google.com and Safari's address/search bar are affected. It's a small feature, but a feature that I rely on often, so it's quite the dealbreaker for me.
In practice, I believe the reason is historical: that's how Wikipedia started and it hasn't changed. But there's pretty compelling evidence that it provides Wikipedia some unique benefits relative to an account-locked alternative:
Hill, B. M. and Shaw, A. (2021) ‘The Hidden Costs of Requiring Accounts: Quasi-Experimental Evidence From Peer Production’, Communication Research, 48(6), pp. 771–795. doi: 10.1177/0093650220910345.
Because that seems to be what the people in charge actually want but are half-assing in the name of optics.
IDGAF one way or the other, but if you're going to be banning millions of users from editing via their IP, just commit to saying "We need to be able to identify you vandals, and a user account is the easiest way".
You're either true to a mission statement, or you should stop virtue signaling beliefs you don't hold with your mission statement.
> Because that seems to be what the people in charge actually want but are half-assing in the name of optics.
Most certainly not. The people in charge actually want it to be open. You are simply watching those ambitions splinter somewhat as they are beset by the crashing waves of the harsh reality that is the Internet.
"Want it to be open" but ban mobile network IP addresses, which basically guarantees people below a certain socioeconomic status can't contribute. Loads of people don't have a desktop/laptop, or even internet service at home - just cell service.
But note that requiring authentication to edit doesn’t necessarily change anything about abuse, yet this thread seems to suggest
that people think it does.
Just means you need to farm a POST /register. You can attach a one time use account to every abusive edit and it’s no big deal.
If the concern is socioeconomic status: One could still edit from a library, for instance.
But yeah, the internet has changed over time, and it is not as nice a place as it used to be.
I think it's important that there are still sites where people don't need an account to be able to participate. Wikipedia is one of the last holdouts in the West, and they clearly are having some amount of trouble keeping it 100% that way.
Given that you need to prevent abuse, how would you propose to keep things (more) open?
>>If the concern is socioeconomic status: One could still edit from a library, for instance.
Just to be clear, your response to "disadvantaged people would likely have a hard time editing Wikipedia from an 'anon' IPs" is "take time and energy (finite resources that are in many cases more valuable than money) and travel somewhere to edit". This is...not a very good argument in your favor? Also, it makes the extremely bold assumption that the library (or whatever publicly available resource) is not IP banned itself because some vandal had the exact same thought.
>>I think it's important that there are still sites where people don't need an account to be able to participate.
Why? If this is important, why isn't it important for everyone? The point I, and other commenters have made, is that you shouldn't say "We care about a free and open internet" when what you mean is "We care about a free and open internet as long as nobody does anything we don't like and we're able to regulate it as we see fit".
These things are a binary, not a scale, despite what some people want to argue. When you start blanket bans that harm people who have done nothing wrong, you're taking a step towards authoritarian and away from pure openness. "The needs of the many outweigh the needs of the few" is pointedly saying "we are not prioritizing your needs" and that's what moderation is.
>>Given that you need to prevent abuse, how would you propose to keep things (more) open?
You're admitting defeat here, and showing how useless a word like "free" or "open" is. The site is not more or less open, it's open or closed for some. You being able to freely edit does nothing for my inability to freely edit. You can't average these things together and say "99% of people are free to do what they want" as if that was a meaningful statement for the people who can't. Moderation is antithetical to "free" or "open" speech. I'm for moderation, I just want people to stop pretending that you can have it both ways.
I appreciate your advocacy for Wikipedia to continue to allow everyone to edit anonymously. When I was a wikipedia regular I also pushed for this.
Unfortunately, as with everything, some people do abuse this facility. Some abuse it to place misinformation on wikipedia. Other people (like bored teenagers) might vandalize the wiki by deleting all the content on the page and replacing it with a pithy epithet. Then there are bots that skim the internet looking for mediawiki sites and filling them with adverts.
Sometimes you need to block these kinds of activity. Sometimes such abuse comes from a shared address or range, and sometimes such a block thus leads to (hopefully temporary) blocking of innocent bystanders. That is bad.
There are facilities in place to help prevent innocent bystanders from getting caught up. But it's a constant arms race. And if nothing is done at all, wikipedia would quickly cease to operate.
The community discussion is about this situation. Current internet trends have more people editing from behind proxies or shared IP addresses. If these trends continue, perhaps wikimedia will have to figure out new ways to fight abuse and while still allowing people to continue to edit anonymously. This is not something that has happened or will happen by itself. It takes and will take constant monitoring.
I don't think it's a good idea to then just go ahead abolish anonymous editing like some people suggest. Being anonymous on the internet is a great thing that should be a right. We need to continue to find ways to preserve anonymity (and pseudonymity!), and also continue to find ways to keep bad actors from ruining it for anyone else.
Having anonymous participants is orthogonal to whether your community is moderated by the way. In fact you can even have anonymous moderation (which has been a part of how wikipedia works) .
I think you make valid points pretty much top to bottom. Less tracking on the internet would make me feel better. "Bad" content on a site will corrupt or ruin its ability to function.
I just (ironically?) hate crusaders, and the type of people who proclaim (as wikipedia does) that they're Doing Their Best(tm) to adhere to their stated goal(pseudo-anon editing with IP based tracking) while doing something that undercuts that goal for millions (blanket IP bans).
I guess my ultimate complaint is that the continued mercy of the inability of the human mind to correlate all of its contents causes people to do things antithetical to what they say they want. That people refuse to live in nuance and continue to pretend they hold themselves to a higher standard that they frequently do not when pressed with any sort of complication.
I understand we live in a society and in order for it to function there are tradeoffs, and I'm not one of these "free speech has been completely killed by cancel culture" nutjobs, but I hate when people speak out of both sides of their mouth which is what Wikipedia does (IMO) when it comes to their moderation/contributor policy. Abolishing anon editing puts everyone on a level playing field (you want to contribute, you have to sign up).
Am I being Just or just Vindictive? IDK, and I'll admit that's open to interpretation. It just feels more fair to me to throw your hands up and admit that vandals are why we can't have nice things than to say APR users are collectively lesser than AT&T users. One feels defensibly, the other feels like logical contortion.
This is a semantics debate, and a good faith read of each our comments seems to show agreement in our understanding of the situation. "Want" does a lot of lifting, and they want 2 contradictory things (no vandals, anyone can edit) and are prioritizing those wants.
I'm saying that by prioritizing the want of "no vandals" you are making want of "open to everyone" untenable. I'm sure their actual top priority is "the best, most accurate listing of information" and everything else is in service of that goal, but I don't really care.
My point stands: If you want anyone to be able to edit anywhere at any time, you can have that but you make trade-offs. Saying "vandals are bad and need to be stopped" is actually not an objective fact, it's a choice about what information you hold valuable.
I don't think you realize the amount of vandalism that used to occur before wider IP range bans were put in place. It was just insane, and even now it is sometimes still hard to manage.
Between this and the T-Mobile IP ban, why not just say "Only registered users can edit pages" and be done with it? When you're blocking millions from unregistered editing, just go full tilt.
My whole point is "reasonable" is an opinion, and really easy to justify when you're not part of the out-group. The stakes on this (who can edit one website that represents the de-facto knowledge on the internet) are either very high or very low depending on who you ask. The idea that people want to protect that makes sense.
What I feel does not make sense is pretending that you're "open" when you stifle millions of (innocent) people. To show the escalation, there are people who would gladly round up millions out of billions to throw in jail or murder for the sake of the safety of the rest of the group. And it would be reasonable to them because it provides the billions with safety. But I think its extremely reasonable for the millions (and in particular the innocent among them) to complain that "this isn't really the open, free, democratic society you promised and maybe you should admit that at this point".
TL;dr- Let's stop pretending Wikipedia is open to all and isn't about Wikipedians controlling Wikipedia.
Stupid and disappointing. Wikipedia and others should move decisively away from using IP addresses as any form of unique ID and address the actual problem in a way that still preserves the option for useful pseudonymity and participation. The basic issue with moderation is the balance between the time/resource cost of moderation and the time/resource cost of evading it times the quantity of bad actor interest. Like if it costs the site two cumulative human minutes and paying for that somehow ($2 at $60/hour, or limited volunteer resources that should still be valued) to make a moderation decision but bad actors can evade in seconds for free then the site will eventually suffer from resource exhaustion if there is enough attacker interest. Conversely if it the cost on the site side is two minutes/$2 but hours/$10+ on the attacker side the site is going to win. At some level of imbalance even the best funded attacker will run out first. IP addresses have been used as an extremely clumsy and increasingly bad proxy for cost, because it takes some level of effort/time/expertise to evade it. But as well as evasion being automatable and growing worse (hard to see how IPv6 won't be the final nail in the coffin there at long last) the side effects against innocent and important usage are very bad too. Some sites use money as a proxy (SomethingAwful's (in)famous 10bux say) and that can work in some niche cases, but is also less than ideal for anything that aspires to be global and widely inclusive given gross inequalities in income. It's impossible in most cases to set a level that isn't simultaneously a blocker for many while not even being a speedbump for others.
Instead it's way past time they just attacked the problem directly with some flavor of more formalized cryptographic representation of time. Like just give new users a number to do prime factorization on tuned to a desired target, then sign the result. Ensure they need to do a few hours/days/whatever of crunching (could be graduated, a few hours gets you initial editing rights then you're expected to crunch a bit more over the following months to reach full user level). Scale over time with increasing processing power. Near zero cost to verify. Now even with hacked routers and so on it still always takes some time. For people who don't get banned it's a one-time cost, no problem, amortized over years/decades (Wikipedia is 21 years old now, and there are other older forums still around too). Anyone in the world can participate no money required, just a computer. But for attackers it's a constant burn. And it changes to calculations for things like soft bans too. If you've got a token representing a week's worth of compute built up over a few years and get a 48 hour ban, the incentive against ban evasion is high. It's not possible to build back up another token before the ban expires.
It's a shame there isn't some standard for this, no reason in principle a handful of authorities couldn't make chrono-tokens that any site could recognize and keep their own DB of. No permanent identity involved, no law enforcement, always the chance to start fresh, every site can choose whether to worry about other sites' bans or not (or contribute back their own or not). A token need not be tied to any account at all in fact. And no algorithms involved either, humans can take the driver's seat again because the cost equation is firmly back in moderators' favor and they have a dynamic tool to respond to abuse (they can just temporarily increase the time req during an attack surge as high as needed to quench it while not hurting long time users or even stopping new ones from signing up then lower it smoothly back down to let new people start faster as whatever caused the attack winds down).
It stinks we're into the 2020s and moderation doesn't really seem much different than the 90s.
Using hashcash and other proof-of-work schemes to limit spam and similar abuse sounds appealing, but I don't see how you can make it work in practice.
1. Defenders use standard PCs and mobile phones. Attackers use GPUs, FPGAs and ASIC and run them in places where electricity is cheap.
For traditional hash algorithms this gives the attacker a thousandfold or so advantage. There has been some work on closing the gap in the context of crypto currencies, but I don't know how close they got.
2. It takes a phone (or even a PC) a long time to burn through $2.
3. Attackers have large botnets and don't pay for the electricity consumed by these.
These ideas always fall short for various reasons in practice.
One is that you mainly punish honest users who have to install and run this PoW crapware just to make a small but legit edit. Wait, I have to lock up my CPU for how long to fix a typo I stumbled upon? Lol, forget it then.
Meanwhile, abusers just farm PoW solutions and make it negligible. You end up with a solution that’s even easier to farm than quick expiry captcha.
And your idea doesn’t stop you from having to implement moderation anyways. You have to do the same work.
When making a response it helps to actually read the comment and engage in good faith.
>One is that you mainly punish honest users who have to install and run this PoW crapware just to make a small but legit edit.
I covered this. It's trivial in such a system to still have no-cost be the default, and ramp up only for certain criteria or during hot spells. Which is what I wrote. Also, an RSA cracker can run fine as javascript, no need to install anything. And legitimate users can build up over long periods. Further, how do IP bans, the existing default, line up with your "honest users" thing hmmmmm? You did at least read the title of this comment section right? You are aware that this is all in the context of something that is also a broad sledgehammer right?
>And your idea doesn’t stop you from having to implement moderation anyways.
I never suggested it did? Quite the contrary? Hello?
>You have to do the same work.
No, you don't have to the same work if attackers cannot attack as quickly and cheaply. Duh.
> address the actual problem in a way that still preserves the option for useful pseudonymity and participation
You mean like supporting use of pseudonymous accounts that don't require more than an email to register, just like HN? Wikipedia already does this. It's trivial to sign up with a throwaway email account. No one cares unless you try to abuse or game editing by making sockpuppets to sway debates.
