Zip bombs are malicious. Captcha is annoying to humans. System or user attestation are pure evil. Proof-of-work has none of these problems.

Zip bombs eat some RAM. I have zero problems serving zip bombs to clients that explicitly disregard "do not enter" signs (and more specifically, actually enter them on purpose.) (Also: it's essentially a honeypot setup, which is nothing terribly novel in concept; people do it for SSH and other things.)

Sigh. I sometimes get the feeling that HN moderation can no longer keep up with actually reviewing the flags.