These are Lemmy instances with a “Sign Up” link which present you with a form to fill out to register. Then after you fill out the form and supply information like email address to the server, they respond with “registration closed”:

I suppose it’s unlikely to be malice considering how many there are. It’s likely a case of shitty software design. There should be a toggle for open/closed registration and when it’s closed there should be no “Sign Up” button in the first place. And if someone visits the registration URL despite a lack of Sign Up link, it should show a reg. closed announcement.

Guess it’s worth mentioning there are some instances that accept your application for review (often with interview field) but then either let your application rot (“pending application” forever) or they silently reject it (you only discover non-acceptance when you make a login attempt and either get “login failed” or even more rudely it just re-renders the login form with no msg). These nodes fall into the selective non-acceptance category:

To be fair, I use a disposable email address which could be a reason the 5 above to reject my application. And if they did give a reason via email, I would not see it. Not sure if that’s happening but that’s also a case of bad software. That is, when a login attempt is made, the server could present the rationale for refusal. Another software defect would be failing to instantly reject an unacceptible email address.

  • debanqued@beehaw.orgOP
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    5
    ·
    edit-2
    5 months ago

    I’m not seeing how this is a good justification for login refusals to lack information and transparency. When you are denied a login, a well designed system tells you why you are denied and the rationale the server gives you should either include enough info to imply a remedial course of action (e.g. “re-apply and tell us more detail about why you like our node”), or at least make it clear that the refusal is final for reasons that are non-remedial. Users should not have to guess about why they are denied a login when countless things can go wrong with email at any moment. The denial rationale should be emailed and also copied into the server records to present upon login attempts.

    The only exception to this would be if they really believe they are blocking a malicious user. Then there is some merit to being non-transparent to threat agents. But the status quo is to treat apps rejected for any arbitrary reason as they would an attacker.

    • Darkassassin07
      link
      fedilink
      English
      arrow-up
      8
      ·
      5 months ago

      I could understand that if you had been granted an account you’d successfully logged into, and then started receiving login refusal afterwards; but to have not actually had an account yet makes it pretty obvious when you try to login and fail that the application has not been accepted. Whether that’s an explicit refusal, or just an idle queue that’s being ignored, doesn’t really make a difference. If the instance admins wanted to talk about it, they’d have emailed you; or published some means of contacting them outside lemmy.

      I wouldn’t expect to receive the reason for refusing the application via any other means than the email I’d provided in that application. That’s the entire purpose of providing an email; so you could be contacted when/if there are updates to your applications status.

      If you’re going to provide false contact info, you can’t be all that surprised when you don’t receive communication(s).

      • debanqued@beehaw.orgOP
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        2
        ·
        edit-2
        5 months ago

        to have not actually had an account yet makes it pretty obvious when you try to login and fail that the application has not been accepted.

        That would be a blunt non-transparent/non-specific message to send. It’s not obvious /why/ the reg was denied.

        If the instance admins wanted to talk about it, they’d have emailed you; or published some means of contacting them outside lemmy.

        Lemmy software is designed as comms software itself with email address disclosure optional. An admin can make it mandatory, but Lemmy’s design should cater for the email-free option regardless of how an admin toggles that setting.

        I wouldn’t expect to receive the reason for refusing the application via any other means than the email I’d provided in that application.

        I get that. People are accustomed to relying on email. But this is not an excuse for software deficiencies.

        That’s the entire purpose of providing an email; so you could be contacted when/if there are updates to your applications status.

        That can be accomplished without email. Email is a convenience at best. Some users have decided email is an inconvenience and do not use it. And Lemmy supports that – partially.

        Let’s be clear about who the software is expected to serve. The comms feature of giving feedback to users without an email account is not to directly serve the end user. Software should serve its user (the Lemmy admin in this case). A Lemmy admin does not want to take the time to express themselves on their decision only to have their msg blackholed. They don’t necessarily know that an email address is disposable. The end user benefits by extension, but it’s about creating software that serves the direct user of the s/w. If you’re an admin who makes email optional, you might still want to be able to get a msg to a user.

        The core purpose of the Lemmy platform is communication. So relying on out-of-band tech is kind of embarrassing. Think of it from the dog food angle. An in-band msg has the advantage that the admin has more control (e.g. they can edit a msg later and they can know whether the msg has been fetched). Lemmy relying on email as a primary means of comms is a dog food problem.

        The only sensible concession I would see to make is that there are a hell of a lot more important things for Lemmy devs to work on because the software has a lot of relatively serious defects. I’m talking about how great software would be coded, but extra diligent handling of denials should have a low triage in the big scheme of the state of where Lemmy is right now.

    • stevedidwhat_infosec@infosec.pub
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      5 months ago

      The cognitive dissonance in this Jesus Christ

      You don’t think providing an email from a throw away service would strike the software as a malicious user/spam bot???

      You keep talking like you know everything and then step onto rakes and start screaming about how it’s the gardeners fault (you live alone and do the gardening, naturally)

      • debanqued@beehaw.orgOP
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        4
        ·
        edit-2
        5 months ago

        The cognitive dissonance in this

        It seems you don’t know what that phrase means. It doesn’t follow from anything else you wrote why you think that.

        You don’t think providing an email from a throw away service would strike the software as a malicious user/spam bot???

        You don’t think that legitimate streetwise users secure themselves by supplying disposable email addresses???

        You keep talking like you know everything

        The post intends to solicit intelligent and civil discourse with logical reasoning, not the sort of ego-charged emotional hot-headed pissing contest you’re trying to bring here.

        • stevedidwhat_infosec@infosec.pub
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          edit-2
          5 months ago

          Your post and subsequent comments say quite the opposite - they’re oozing ego-charged.

          Try coming from a place of genuine curiosity and not “this is wrong and stupid”

          I’m not interested in bickering with you about semantics of social conduct. Black boxing applications from disposable/abusable mechanisms is absolutely a-okay in cybersecurity terms.