Would it work to do that by IP, and allow only X different IPs for an account to try to login on a single day? e.g. if you've tried to login with 10 different IPs on that day, you will no longer be able to login that day. (Of course this would mean saving some extra data.) The biggest problem I see is that this means people can lock you out of your account, which is probably unacceptable.
What my bank does (and PayPal too if I remember correctly) is keep track of my IP, and if it changes then it forces me to enter additional data about my account before letting me continue. (This assumes I got the password correct.) I think one or both also may use some cookie(s) to mitigate changing IPs. They may also make use of leaky browser data (like user agent strings etc.) to help identify me; they have the potential to see a lot since I'm not trying to hide from them.
I don't see anything wrong in principle with "account lock out" provided that it doesn't affect existing sessions and provided that you can just ask the site to send an email with a token to reset your password. Spammers can lock a user out, so what. Minor inconvenience. If it's happening a lot to the same user and it's also affecting the user negatively, something extra could be done to minimize lockouts for the actual user (who should be easy to detect by the server through logs and a premise the user isn't trying to hide).
Spammers are able to flood you with "forgot your password?" emails, too. I don't know how often they do it. I had my first wave in after 7 years of the same email just a few months ago mostly from old sites I forgot I even had accounts on.
I'm not really a fan of the exponential backoff idea proposed earlier above, I'd sooner go with the "X tries, then wait" approach. The lockout time should not be more than 24 hours, ideally less. Though one could also set the lockout period to expire when the user's session automatically expires, if there's a current one, but that may be too clever.
I feel that there are really two pieces of advice to give on dealing with spammers for the general case... Advice for low-traffic sites and advice for high-traffic sites. I don't have any advice with high-traffic sites since I have no experience with spam at that level (and by high-traffic I mean thousands to millions of uniques per hour), though I don't think the status quo is good enough. With low-traffic sites spam behavior is easy to detect and create a custom solution against. Custom solutions are often better than the popular stuff just by virtue of not having anyone targeting them specifically, and even if that's the case it's still easier to cat-and-mouse if the main options against spam aren't acceptable. Something as dead-simple as loading your form with javascript (or dynamically changing the URL endpoint when the submit button is clicked to something different than what's reported by the form's html attribute...) stops a lot of bots regardless of a captcha, even though you sacrifice the Lynx users. And in my own anecdotal experience I've had more success (less spam bots getting through and leaving a message) with a captcha like "Please join these two "words" together (without spaces): taeiswovd and brhpugqc" than with ReCaptcha even though it'd take less than a minute to add a parser for mine in a bot program. I used to use an arithmetic question but even the dumb bots are on to that one these days--at least the ones after my comment boxes. (I don't even think they added, they just tried numbers 0-99 and sometimes got lucky.)
PayPal doesn't ask you for some extra data. It blocks ("limits") your account so you can't actually use it until you provide them with a copy of your utility bill or something. Terrific when you're on vacation and need to make a PayPal payment. That had me so pissed of that I closed my account (which isn't possible whilst it's "limited" unless you manage to get them on the phone -- good luck with that. -- at least you can then tell the person on the phone that you think they're full of )
>at least you can then tell the person on the phone that you think they're full of
Why? The poor soul answering support calls likely didn't make this policy and cannot do anything to change it. I guess if you like just unloading anger at some unempowered person who has the responsibility of taking a bunch of crap without reacting in turn then this is a good idea. Otherwise it is more useful to take your business elsewhere, and if you must try finding someone to complain towards that might actually be able to encourage change.
Yeah, PayPal does a lot of crap... But I was buying some stuff on a different-than-usual computer and place just a few weeks ago, and it made me provide my bank account number as verification before it would let me send the payment. (Had to sign into my bank account to find a scan of an old check to read it off of..) In a similar vein, Amazon requires reentering your credit card every time you send to a new shipping address.
Why do you call that crap? A normal bank would do something similar. Try traveling to another country and using your ATM card, it likely won't work unless you call your bank ahead of time and tell them of your travel plans.
I was going to respond to a few of the comments here, but then I realized I was going to say pretty much the same to all of them, so here goes:
I've got clinical depression. What this means is that there is something fundamentally wrong in my brain that causes me to be depressed. There is no direct environmental cause that makes me depressed. Now, here's what many people get wrong about severe depression:
Severe depression does NOT mean that exercise, a healthy diet and getting a social life won't help at all.
Rather, depression completely drains your motivation to do any of those things. Which in turn make you more depressed. Which makes you even less likely to do any of them. And so on and so forth. It's 'positive' feedback, but it starts with a neurological problem. This is why all the 'cheer up'-sort of advice doesn't help people who're depressed, and why it tends to only make them more miserable.
Of course, this is only my experience. I'm quite sure there are plenty of people who are depressed for reasons found in their environment, and then get stuck in the same loop. But it would be ridiculous to presume that I'm unique in this regard.
I also have clinical depression, and this has also been my experience.
Something which also adds to the problems is that people so often condescend - 'you won't feel better unless you do X, Y or Z' and actually essentially accuse you of bringing it on yourself. And a lot of the problem is the guilt you feel about everything, so it's the worst possible thing you can do for a depressed person.
I find having some project that gives you an output is important, to contradict the standard 'oh don't spend so much time on a computer project' points. The alternative a lot of the time for me is spending all day in bed because I feel so low, so having an outlet matters. But of course you then find it hard to balance that.
Having said that, all the standard healthy advice is important too. It's just really important to differentiate between mild and severe depression - it's like the difference between having the flu and people recommending painkillers and having a serious chronic disease. The advice is good for mild depression but really not going to touch anything for the severe variety.
For people who are lucky enough not to suffer from severe depression - don't presume to know what it's like because you've felt a little bit low before.
"clinical" depression is meaningless. Literally, it has no meaning. Perhaps you mean "Diagnosed by a real doctor", as opposed to "self diagnosed from a check list"?
But when we look at depression diagnosed by experts we see a variety of forms, and a variety of strengths.
I agree that well meaning people sometimes offer really bad advice.
But advice about developing a healthy lifestyle (being careful with caffeine, alcohol, recreational drugs; eating better; sorting out sleep; getting exercise) and developing a social life are important, because these thing help people with very serious, life threatening, illness. In combination with therapy they can be part of an effective cure for many people. (At least leaving others with several years of recovery). If needed, this advice can be combined with medication. And, if needed, all of this stuff can be started if the patient is in hospital. (At least in England all MH hospitals should have programmes of OT to start social life outside hospital and they should have some kind of exercise stuff, and contacts with local gyms.)
I've known people who are ill enough to require electro convulsive therapy and they said that this other stuff was important to them, but that they needed help to apply it.
And that's the important thing. Saying "I am to ill to do this stuff" is not the same as saying "this stuff would not be helpful to me if I did it". What people need is help to apply this stuff.
Well, to me 'clinical' depression implies diagnosed by a doctor, yes.
Sure, and it does vary a lot. So perhaps I meant to say severe vs. mild.
People overstate these things to a degree. Like I said, sure they help, but it's scratching the surface IMHO. What's more important is to attack the depression itself, directly.
And, though anecdotal, I've been through periods being severely depressed despite going to the gym a lot, and eating relatively well, and had it make very little difference. I've also socialised a lot and had that make no difference. So this isn't just conjecture.
I guess part of it is that it varies from person to person. Also the degree of the depression at any given time waxes and wanes.
And agreed, a key thing is to admit you can't do it all by yourself, and go and get help.
The key thing, however, is for people to lose that attitude of 'go get a life doing things I think are healthy/fun and you'll be happy' because, basically, that's b.s. projection, and for some it borders on blame-the-victim mentality.
I think diseases like depression are particularly problematic because people don't take them seriously and imagine that they're not all that serious, perhaps slightly made up, or not as solid and easy to diagnose and understand as a physical illness. Perhaps people need to come to respect it more.
In most cases CBT & exercise and better food is attacking the depression itself, directly.
> The key thing, however, is for people to lose that attitude of 'go get a life doing things I think are healthy/fun and you'll be happy' because, basically, that's b.s. projection,
The phrase "clinical depression" distinguishes depression (in the clinical, officially-diagnosed sense) from depression (in the informal, no-more-cookies-angst sense).
If you want to know more about the technical meaning of "depression," consult DSM.
No, depression is enough to distinguish from simple sadness, or grief, or other forms of sadness which are not pathological. Depression is already defined as an illness, and not simple sadness. Prefixing nonsense words does nothing to increase understanding of the illness of depression or of the normal forms of sadness that people experience.
Medical professionals do not ever call something clinical depression. They'll use words like reactive or endogenous etc.
The solution to people mis-using the term depression to apply it to things which are not depression is to stop people mis-using that term, not to invent other terms.
> When your sports team loses, you get depressed.
No, you are sad, fed-up, gutted, sick as a parrot, annoyed, frustrated, mournful, etc. You are not depressed, because depression is an illness.
The other problem with "clinical" is that it is widely used by cranks - see for example "clinical nutritionist".
'Depressed mood' is regularly used in both psychology and medicine. "The patient arrived in a depressed state" does not mean that they have one of the ongoing illesses of Depression.
Medical professionals do not ever call something clinical depression.
I used to work in a neurology lab, and I heard consultant neurologists use the term. I do not agree with 'do not ever'. Unless you're counting medical specialists that take 13 years to train as somehow not being 'professionals'.
Just googling 'clinical depression' comes up with a few links of professionals (like the Mayo Clinic) using the term. The important thing to not is that just because a term might not be in the DSM does not mean that the term is not used or meaningless. Yes, I'll agree, it's not used to refer to one specific disorder, but that doesn't make it meaningless.
You are not depressed, because depression is an illness.
Depression is an illness. It is also a transient state. You're doing the same thing as those people who say "but 'kid' actually means 'baby goat'".
The other problem with "clinical" is that it is widely used by cranks
Fallacy of association: Cars are widely used by criminals, therefore we should not use cars.
Would you really correct a co-worker who said 'bob is depressed because his team lost last night' with 'no he's not, because depression is an illness'?
'clinical depression' has a biological base and responds better to pharmaceutical intervention, and generally covers the diagnosable stuff in the DSM. 'regular' depression is just being sad because of life events - when your wife leaves you and your dog dies, that's when you get 'regular' depression.
Got decent furniture, got the roommate to get his own apartment and I am sprucing up the abode in general so that it looks like a person actually lives here, rather than inhabits the space. Using brighter colors that are outside of my usual blacks and browns. This is all very normal stuff for other people, I suppose, but its something I never really thought about. I wasn't paying attention to my surroundings much. As it stands right now, I wouldn't be ashamed to invite people over for an evening, whereas before, I kept my door shut so people didn't see the mess.
I'm making an effort to be more sociable, which is difficult. I'm middle-aged and haven't dated or had a relationship since high school and so I've got some real hurdles to overcome there. That part may be impossible to overcome, but I'm trying it, slowly.
The very affectionate cat I've had for a couple of years helps, too. A pet forces you to focus on something other than your own misery. Plus, it's hard to have a suck day when the cat is standing on your chest, headbutting you in the chin or trying to eat your hand while you type.
This isn't necessarily the answer for everyone. It may only be me. I do know that a year ago I was very miserable, felt worthless and dead inside, and now I don't feel like that anymore.
Have any forms of cognitive behaviour therapy or say innerchild/regression therapy helped or been explored? Have you explored dietary changes? Did you have ear infections as a child (relevant question)?
Yes and yes. Both didn't work, or didn't have enough effect to get me out of the no-motivation cycle. Ergo, SSRIs (which thankfully did work). Yes to the third question, too (as a matter of fact I had a cholesteatoma). Could you tell me how that is relevant?
Sorry for the delay in responding. Hearing can actually be related to depression. http://www.aitinstitute.org/ - the website / therapy is marketed towards children with autism as that is the largest group affected, and the most severely. There's an out-of-print book called "Hearing Equals Behaviour" by the researcher who 45+ years ago discovered a correlation between hearing and behaviour. People are 100% going to be depressed if they have a hearing imbalance at 1,000 Hz; Imbalance is if say in one ear the lowest you can hear is 11 Dbs, and the other ear you can hear at 14 Dbs - that shows an imbalance of 3 Dbs. The sound therapy I listed helps let the mind 'release' and equalize those imbalances. If you have an imbalance at 1,000 Hz then medication won't he, cognitive behaviour therapy won't help. I imagine it's possible to not be "locked into" a depressive state, but set into one temporarily with hearing-related issues early on - I'm unsure it would fruitful to investigate further.
It's not likely relevant, really. Sometimes people are depressed after flu or ear infection and attribute it to that.
There's some sense in:
1. If you're stressed and/or avoiding sunlight, you're more likely to be depressed and fall ill.
2. You feel less pleasure while severely sick. Personally, I notice my affect when thinking about everything is dramatically different. I discount it for that reason.
3. Depression apparently involves some feedback loops that can make it a fairly stable equilibrium; so the shift in experience during the sickness might linger (perhaps the isolation and lack of sun while sick lingers).
I don't see any studies showing a strong link. To present my own anecdote, I had a dozen ear infections before my teens and have never experienced depression. This is a very small bit of evidence, though.
Hint: comments are for communicating stuff to people. Posting a braindump and pretty much saying 'just figure out what I meant for yourself' is both rude and annoying.
Feds have been an integral part since DEF CON 1. They're welcome, and booing them of the stage is just childish. Again, I'm pretty sure the majority of hackers don't agree with them, and may even think they're a bunch of morons, but it's still interesting to hear what they have to say. People do get booed of the stage, but for entirely different reasons, e.g. http://news.cnet.com/8301-10784_3-9755135-7.html (and watch the video, it's hilarious).
(Also, talking about security-people-hackers on a site primarily focused on programming-startup-hackers confuses the crap out of me.)
Again, I'm pretty sure the majority of hackers don't agree with them, and may even think they're a bunch of morons, but it's still interesting to hear what they have to say.
So, "keep your friends close, and your enemies closer?" :-)
Anyway, you make a good point, and there are good reasons to let the NSA guy have his say. But when you look at the abuses perpetrated by the US government over the years, it's hard to feel good about hanging around and listening to more propaganda from their representatives. And chucking tomatoes at him would send a strong message "don't assume that we are on the same side, or that we are going to support your agenda" or whatever.
"Edit: I should add that no chemical is good for everyone, not even caffeine."
I don't think it's the caffeine that causes all these benefits. (Though, being an avid hacker myself, I of course can think of a few benefits of that particular chemical.)
The only one I can name off the top of my head is Apex Digital (b/c it was HQ'd close to where I grew up). Apex was competing with a Chinese state-owned agency and rejected a buyout offer. Chinese officials arrested its CEO on fraud charges and tried to sieze the company's Chinese operating assets to give to the Chinese company. Eventually, Apex went bankrupt fighting the case.
There are many more; the common thread is usually that these companies are competing with Chinese companies.
You could say that, but it would be wrong. A tangent is an equation of the form y = ax + b at point P, which just happens to have (well, by definition) a value for a that equals the rate of change at P (of the original equation).
