Admin of tucson.social here - when UM signed up at tucson.social he made some crucial mistakes that made him easy to identify as a bot. Unfortunately, since this affects my security posture, I'm not keen on publicly posting what it is as he still makes the same mistakes.

However, let me add this - there are multiple places we should be validating are accessed from the same IP in a registration flow - all to many bot farms centralize certain aspects of their operations and use the same IP every time for only certain parts of a given flow.

I'll also add that many admins are either stupid about site security, or actively complicit in the bot problem.

It is definitely an under provisioning problem. But that under provisioning problem is caused by the customers usually being very very stingy about what they are willing to spend. Also, to be clear, it isn't buckling. It is doing exactly The thing it was designed to do. Which is to stop writes to the DB since there is no disk space left. And before this time, it's constantly throwing warnings to the end user. Usually these customers tend to ignore those errors until they reach this stop writes state.

In fact, we just had to give an RCA to the c-suite detailing why we had not scaled a customer when we should have, but we have a paper trail of them refusing the pricing and refusing to engage.

We get the same errors, and we usually reach out via email to each of these customers to help project where their data is going and scale appropriately. More frequently though, they are adding data at such a fast clip that them not responding for 2 hours would lead them directly into the stop writes status.

This has led us to guessing what our customers are going to end up at. Oftentimes being completely wrong and eating to scale multiple times.

Workload spikes are the entire reason why our database technology exists. That's the main thing we market ourselves as being able to handle (provided you gave the DB enough disk and the workload isn't sustained for a long enough to fill the discs.)

There is definitely an automation problem. Unfortunately, this particular line of our managed services will not be able to be automated. We work with special customers, with special requirements, usually fortune 100 companies that have extensive change control processes. Custom security implementations. And sometimes even no access to their environment unless they flip a switch.

To me it just seems to all go back to management/c-suite trying to sell a fantasy version of our product and setting us up for failure.

As a man who grew up with one foot firmly planted in yeehaw and the other in yuppie, I think this is brilliant!

I agree. I think 1440p+HDR is probably the way to go for now. HDR is FAR more impactful than a 4K resolution and 1440p should provide a stable 45ish FPS on Cyberpunk 2077 completely maxed out on an RTX 3080Ti (DLSS Performance).

And in terms of CPU, the same applies. 16 cores are for the gentoo using, source compiling folks like me. 8 cores on a well binned CPU from the last 3 generations goes plenty fast for gaming. CPU bottlenecking only really show up at 144fps+ in most games anyways.

As somebody with autism. I find this take lacking nuance. You see for me these tools represent a huge leap and accessibility for me. I can turn a wall of stream of consciousness text into something digestible and represents myself.

I find myself constantly exhausted with the societal expectation that I review, edit, and adjust my own speech constantly. And these tools go a long way to helping me actually communicate.

I mean, after all nothing changes for me. People thought of me as a robot before. And I guess they can continue to think I'm still a robot. I've stopped giving a crap about neurotypical expectations.

Lived there for 7 years - I think I got it.

Step one, do not be in downtown, inner SE, inner NE, Gateway, or anywhere near a Max line or bus station after dark. Step two, carry mace and a stun gun. Step three, leave Portland for good and only return if I must << We are here.

We got a lot of hate from certain left leaning folks in Portland for leaving "because of the homeless". It's like, "No, dude, I'm leaving because my wife was assaulted by homeless no less than 3 times (twice physically, once was almost a rape), and that's even when she was "safely on TriMet. You can 'but not ALL homeless' all you want. My wife is traumatized and we want nothing to do with this shithole of a city".

Yeah, after the 3rd one we left, and we can say with certainty that we'll never ever come back to live in PDX.

Similarly FPS-Z games like Tribes (Ascend, Vengeance, 2) and Legions Overdrive.

Fortunately MidAir 2 is almost here. https://store.steampowered.com/app/1231210/Midair_2/

Hmmm, I'd check the following:

1. Do the emails follow a pattern? (randouser####@commondomain.com)
2. Did the emails actually validate, or do you just not see bouncebacks? There is a DB field for this that admins can query (i'll dig it up after I make this high level post)
3. Did the surge come from the same IP? Multiple? Did it use something that doesn't look like a browser?
4. Did the surge traffic hit /signup or did it hit /api/v3/register exclusively?

With those answers I should be able to tell if it's the same or similar attacker getting more sophisticated.

Some patterns I noticed in the attacks I've received:

1. it's exactly 9 attempts every 30 minutes from the user agent "python/requests"
2. The users that did not get an email bounceback were still not authenticated hours later (maybe the attacker lucked out with a real email that didn't bounce back?). There was no effort to verify from what I could determine.

Some vulnerabilities I know that can be exploited and would expect to see next:

1. ChatGPT is human enough sounding for the registration forms. I've got no idea why folks think this is the end-all solution when it could be faked just as easily.
2. Duplicate Email conflicts can be bypassed by using a "+category" in your email. ie (someuser+lemmy@somedomain.com) This would allow someone to associate potentially hundreds of spam accounts with a single email.

Well I am making a distinction between creating a newer implementation and rolling back to an older, known implementation. It's why I find it bizarre when folks point out that there's a new feature request and a PR is guarenteed accepted - yes, but that will take more time than reverting some commits and maybe retrofitting if needed. The entire point I was trying to make is that they could just roll back, and when the new feature is ready, we can go right to it. I'm not (at least intentionally) asking for grandiose work and assuming going back is quicker and more readily available than waiting for a new solution to be implemented.

Look, you keep returning back to a point I'm not making, and it seems like its in bad faith.

You keep saying how captcha's aren't perfect. They never needed to be and any sufficiently advanced attacker can bypass them. We've gone over that at length, you returning to this argument just shows how little else you have than "Mondays always suck" / "Evil shall persist" mindset.

Your entire position of chasing me on "oh, but captcha doesn't solve ALLLLLL bots". Yeah, and laws don't deter ALLL crime either.

Shall we remove these pesky laws of civil society? I mean, after all why abide by rules that any one person can chose not to follow the laws? What good are they anyways?

You know it's an inane point that has no logical conclusion, but I think you probably already know that and I'm done assuming good faith in your trolling.

Back to my original point, it's fantastic that the work is planned, but unless they roll back the removal, v0.18 is going to be a huge headache, and not just for the admins of servers running v0.18, but everyone else too.

So the solution is to force everyone to be low hanging fruit in the meantime?

Look, I get where everyone is going in terms of improvements, but to remove an already working solution and leaving folks exposed in the meantime is not how we should be rolling improvements.