[Foundation-l] and what if...

[Michael Snow]

Andrew Whitworth wrote:
> On Fri, Dec 12, 2008 at 10:50 AM, Thomas Dalton <thomas.dalton at gmail.com> wrote:
>   
>>> Long-time ago, I suggested adding a short-duration cookie whenever a
>>> block was triggered that would allow the software to detect the most
>>> obvious IP jumping vandals (asumming they used the same browser on the
>>> same machine each time).  It doesn't get at the bulk of Tomek's
>>> criticism, but it does fall in the other-things-we-could-do category.
>>>       
>> Deleting cookies is far easier than changing IP addresses.
>>     
>
> I think we're all overestimating the problem here. If a vandal is
> absolutely determined and has enough technical savvy, no measures that
> we take are going to keep them out indefinitely. We can take
> reasonable measures to combat the most common types of vandalism, but
> we need to realize that no measures we take will be perfect and the
> more we do to try to combat individual determined vandals the more
> collateral damage we are going to sustain. If vandals aim to disrupt
> the project, then sweeping range blocks on IPs is victory for them.
>
> No solution is perfect, and the best we can do is to eliminate the
> most common cases in a reasonable way.
>   
Exactly. The question is not whether the suggested cookie will catch all 
or even most would-be vandals. The objective is to build in protections 
that are as fully-automatic as possible for us, while requiring extra 
steps to circumvent so that vandalism has a higher cost to the vandal. 
And the real issue to consider is how likely such a measure is to catch 
innocent fish in its net. Because the potential problem is not that 
everything can be circumvented, it's that most people shouldn't be put 
to the trouble of circumventing.

--Michael Snow