Beehaw got their knickers in a twist because of some spammers, back when lemmy.world and shitjustworks had… maybe 30,000 registered users in total. The solution there was adding more moderators. You don’t chop your leg off because you got a few papercuts.

If you look at the volume of bots (some instances went from hundreds of users to >12,000 overnight), that’s potential for worry. There’s ~500,000 bot accounts sitting out there waiting to be activated. No amount of moderators can block that fast enough, and that’s when de-federation should be considered.

You’re right that captchas can be bypassed, but I disagree that they’re useless.

Do you lock your house? Are you aware that most locks can be picked and windows can be smashed?

captchas can be defeated, but that doesn’t mean they’re useless - they increase the level of friction required to automate malicious activity. Maybe not a lot, but along with other measures, it may make it tricky enough to circumvent that it discourages a good percentage of bot spammers. It’s the “Swiss cheese” model of security.

Registration applications stop bots, but it also stops legitimate users. I almost didn’t get onto the fediverse because of registration applications. I filled out applications at lemmy.ml and beehaw.org, and then forgot about it. Two days later, I got reminded of the fediverse, and luckily I found this instance that didn’t require some sort of application to join.

Haven’t you heard of the “Swiss cheese” model of security?

The best way to ensure your server is protected is to unplug it from the Internet and put it in an EMF-shielded Faraday cage.

There’s always a tradeoff between security, usability and cost.

captchas can be defeated, but that doesn’t mean they’re useless - they increase the level of friction required to automate malicious activity. Maybe not a lot, but along with other measures, it may make it tricky enough to circumvent that it discourages a good percentage of bot spammers.