GitHub did the right thing. While GitHub might have had better ways to deal with this kind of thing technically, those controls are rather expensive to implement for novel scam use cases if they weren’t in place prior to the abuse.
The blast radius of their strategy is desirable since it will also remove the accounts of all participants, willing or not. It doesn’t really matter if each individual zombie is a willing participant in the horde, you’re still going to indiscriminately fire on all of them.
Participants will often claim to be victims, and while that’s probably not happening here, it’s way more cost effective to ban everything touching the scam. Tons of free users complaining essentially doesn’t matter since these users were already not generating value. Their potential loss is regrettable, but acceptable.
Genuine victims will eventually be able to get their accounts restored via support after they’ve contained the problem, and accounts in on the scam won’t bother. If they were a paying customer I’m sure they’d have ways to get this resolved.
The en masse bans weren’t utterly necessary, but they were a faster and more effective resolution to the problem from GitHub’s perspective.
If the suggestion is “do something really expensive and considerate of the scammers” the correct answer is always no. Scams create enormous costs, asking them to increase the cleanup costs is the wrong approach.
As a deterrent for abuse, it makes sense to suspend lots of accounts up front, pending investigation, and then let them back selectively as they are reviewed slowly. But if you're not doing the review, it makes no sense to ban lots of users while not addressing the root cause. That's just a way to run out of users.
I don't think that github is at risk of "running out of users". If the cost of doing the review is greater than the cost of losing those wrongly banned users, it makes literally zero sense to do the review
The blast radius of their strategy is desirable since it will also remove the accounts of all participants, willing or not. It doesn’t really matter if each individual zombie is a willing participant in the horde, you’re still going to indiscriminately fire on all of them.
Participants will often claim to be victims, and while that’s probably not happening here, it’s way more cost effective to ban everything touching the scam. Tons of free users complaining essentially doesn’t matter since these users were already not generating value. Their potential loss is regrettable, but acceptable.
Genuine victims will eventually be able to get their accounts restored via support after they’ve contained the problem, and accounts in on the scam won’t bother. If they were a paying customer I’m sure they’d have ways to get this resolved.
The en masse bans weren’t utterly necessary, but they were a faster and more effective resolution to the problem from GitHub’s perspective.
If the suggestion is “do something really expensive and considerate of the scammers” the correct answer is always no. Scams create enormous costs, asking them to increase the cleanup costs is the wrong approach.