1. This common assumption simply does not make sense to me. An account farmer could easily use human labour (self or others) to log bots into a large numbers of accounts with “stay logged in” checked, then let them stay logged in to make unlimited spam/nonsense/copypaste posts. It would be trivial; all the bots would need to do is to keep their cookies. I know this because I myself now stay logged in, on a credential apparently set to expire in the year 2023. I have not filled out the CAPTCHA since 10 December. Whereas a password bruteforcer would indeed be stymied by the CAPTCHA. A bruteforcer would also be slowed down by a POW. A spambot could complete the POW once, then stay logged in for years or until permabanned.
I think you should reconsider your opinion
As to me, it doesn't make a lot of sense to use just one spam bot (account) when you can use hundreds or even thousands of them, and this is where captcha kicks in. Without it a spam bot could constantly log in and off using different accounts from the same IP address, so it would be next to impossible even to track them down let alone ban them all. Regarding preventing users' passwords from being brute forced, you don't need a captcha for that. If you enter an incorrect password, the forum will let you try again only after 1 minute, if I remember correctly. And I'm not sure if your IP won't be banned for longer after a few unsuccessful attempts
Please reread what I said, as quoted above; I have edited the quote to put the key words in red. If already building a spambot which opens web login sessions, it would be trivial to make it keep many different sessions in parallel. Get them all logged in—perhaps via a scammy website which proxies the CAPTCHA, and offers real or imaginary freebies (free Bitcoin!) for completing CAPTCHAs. Then, leave them logged in.
You incorrectly assume that a spammer must log in his sibyl accounts from the same IP address. Spammers often have many IP addresses; and indeed, it would be easy to do away with account farmers if they always logged their zillions of accounts in and out from the same IP address. Also, multiple accounts
can be logged in from the same IP address. Either way, there is no reason for a spambot to ever log out.
Since multiple users can be
legitimately logged in from the same IP address, banning IP addresses for failed login attempts is also not a solution to bruteforcing. If theymos did that, then it would be trivial for an attacker to effectually ban Tor users from login to bitcointalk.org by deliberately making many bad login attempts from every exit node. Thus, I infer that theymos does not do this; and I assume the timeout you describe somehow works with cookies, or the like. Granted, I could be wrong there. It may simply be that nobody evil has thus far bothered to get Tor exits banned from attempted login.
Assuming a correlation between users and IP addresses is a common fallacy.
N.b., I have no idea how many users are currently logged into bitcointalk.org from the same IP address as I am using to post this right now. I’m almost certainly not the only one; moreover, my connecting IP address frequently changes. There are also reasons other than privacy why many users may share the same IP address: Carrier-grade NAT due to IPv4 address exhaustion, corporate proxies, etc., etc. —Also reasons why the same user may rapidly change IP addresses: Mobile users.... There is not and never was any strong correlation between people and IP addresses; security systems which assume that tend to simultaneously lock out legitimate users, and fail to lock out malicious attackers. Failure both ways.
Sad thing is I don't have any bitcoin. Also checked the cooper membership price. It costs around $31 which I don't have. :(
I read your other topic and it had a lot of insights. Some trolls always lurk around and take things other direction. You also said you are very good with tor. I am not an expert and just use it for bitcointalk browsing with java script enabled.
What I wanted to know if there is any other browser like tor so I could use that and browse anonymously.
Well, if you signed up via Tor, then you must have
some Bitcoin; theymos charges a small anti-abuse fee for new account signup from Tor and other IP addresses which have high risk for abuse. And if you didn’t sign up through Tor, then you are mixing Tor and non-Tor usage for the same account. That’s a big privacy no-no.
If you use Tor, then you should use only Tor Browser for your web browser. I actually dislike it, myself; but it has
special privacy and antifingerprinting features, and also, it helps you blend into a crowd when you use the same browser as everybody else. The technical term is “anonymity set”. If you use a different browser with Tor, then you may still be more or less readily identifiable and/or trackable (web session linkage). You could be the only person using Browser X in a crowd of two million people using Tor Browser through Tor exits. If you want to use some privacy network other than Tor, I have no specific advice for you at this time. But this is all off-topic. If you desire a few further tips of where to learn about these things, feel free to ask your question in the
Off-topic forum and PM me a link to your post. Just don’t get sucked into the huge heaps of trash posted there—much of which is posted by spammers trying to up their post counts; that’s the kind of dirt which can rub off on a newbie, if you get involved with it.