I have so far defined one rule: page creation is forbidden for users younger than X hours
Never, ever publicly post your constants.
If it was a site-specific spammer, he can now create accounts X hours before posting, aka good old cookie-aging.
Overkill security professional solution (if you don’t mind Ajax and some coding though) : have the site or at least crucial part of it self-decrypt with one-time-pad. Doubles the size (if whole-site) but robots extremely rarely run scripts so both chunks parse as garbage. And even if they did understand JavaScript you could make the problem “AI-hard” in principle (yes… I do realize there’s no such formal class).
Never, ever publicly post your constants. If it was a site-specific spammer, he can now create accounts X hours before posting, aka good old cookie-aging.
I’m not worried. As you can see from the sidebar, spammers have been prolifically creating accounts for countless months and almost all accounts wind up never being used. My inference is that most of them are being stymied by other anti-spam features. None of the spam seems to be done by hand, and certainly they aren’t looking on an obscure post on a different domain for a value that they would stumble upon accidentally (‘hm, my spam account didn’t work yesterday, let’s take a look to see if the error went away—oh, it did, there must be a 24-hr timeout’).
I totally agree there’s a very low probability of leak there. There’s still a (meta) reason to do stuff like this though.
If you have a high value target (like building an AI), you need insane paranoid security. Means you need to train the mindset of patching everything you possibly can not because you think it’s unsafe but, you know, just because. E.g. you could tell the difference between good and bad sysadmin just by looking at his own PC. A good sysadmin will have every single drive truecrypted, no matter the inconvenience. This is an opportunity to train the mind into the job.
Never, ever publicly post your constants. If it was a site-specific spammer, he can now create accounts X hours before posting, aka good old cookie-aging.
Overkill security professional solution (if you don’t mind Ajax and some coding though) : have the site or at least crucial part of it self-decrypt with one-time-pad. Doubles the size (if whole-site) but robots extremely rarely run scripts so both chunks parse as garbage. And even if they did understand JavaScript you could make the problem “AI-hard” in principle (yes… I do realize there’s no such formal class).
Also, for fun: http://xkcd.com/810/
I’m not worried. As you can see from the sidebar, spammers have been prolifically creating accounts for countless months and almost all accounts wind up never being used. My inference is that most of them are being stymied by other anti-spam features. None of the spam seems to be done by hand, and certainly they aren’t looking on an obscure post on a different domain for a value that they would stumble upon accidentally (‘hm, my spam account didn’t work yesterday, let’s take a look to see if the error went away—oh, it did, there must be a 24-hr timeout’).
I totally agree there’s a very low probability of leak there. There’s still a (meta) reason to do stuff like this though.
If you have a high value target (like building an AI), you need insane paranoid security. Means you need to train the mindset of patching everything you possibly can not because you think it’s unsafe but, you know, just because. E.g. you could tell the difference between good and bad sysadmin just by looking at his own PC. A good sysadmin will have every single drive truecrypted, no matter the inconvenience. This is an opportunity to train the mind into the job.