Slashdot Mirror
Evolution of the 'Captcha'
FireballX301 writes "The New York Times is running an article about the small word puzzles various sites use in order to defeat automated script registration while still letting humans through. It seems many people can't actually solve them anymore, so new alternatives (image recognition) are being created. This, of course, seems breakable as well — is there a feasible alternative to the captcha, or are we stuck jumping through more and more hoops to register at places?"
The other day I saw a system that posed the question:
'Germany is a country in Africa?'
Your duty to prove you were human was to change it to the proper continent and the question mark to a period. Seems pretty fool proof, especially if you combine it with things like "and make 'country' all capitals."
have a random or semi random set of field names, with an associated "key" field. Use the key field to retrieve the field names of interest. Also have a "name" and "password" field set up so they are invisible to a normal user.
Block any IP submitting a non-blank "name" or "password" field.
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
I thought I could avoid using Captcha's by simply request the user type in their IP address that I showed in at the bottom of the screen. I know that bot can easily get the IP address too...I was thinking that my request was vague enough that the bot wouldn't understand the question. My guess is that the bot didn't understand the question and reported the error to its writer. The writer must have explored my website, found the source of the error and then added a subroutine to deal with my question.
This is really annoying...not damaging, just a big pain in the butt. I could start blocking the IP addresses being used, but that would be in vain, knowing how many zombies are out there.
Shamus Young (the creator of the "DM of the Rings") recently introduced a captcha on his site to deal with comment spam. In his post about using a captcha on his site, he notes that:
Emphasis mine. He's running a fairly popular site, and using a captcha based off of a single, unchanging, three-character phrase. Just the presence of the captcha was enough to effectively eliminate his spam problem. The indication seems to be that just the presence of a captcha is enough to keep spam off of even a moderately popular site.
"Great men are not always wise: neither do the aged understand judgement." Job 32:9
Heh, I remember once having to enter some cryptic captcha string into a text field at rapidshare or some nameless file hosting service. I think the problem with it was there was no discrimination between O and zero, or something to that extent. Anyway, the captcha sucked so much I misread it three times, in which the site replied with "You are a bot!" and shut me out of the system. Funny way of showing appreciation and respect to customers.
By the way - since I started typing on this subject - I run a couple of phpBB forums which get quite a few spambots even daily. I've found the best way to deal with them is just to write your own captcha, or an extra form input, requiring dynamic input (doesn't have to be text). Even if your captcha is incredibly weak, it's not likely to be broken because no spambot developer is going to bother cracking a captcha of just one website. Widespread captcha MODs tend to get broken more often so they aren't half as effective.
On my forum, I have a ten by five cell table filled with checkboxes, and a line of text that says "Please check ten of the checkboxes below", with the number changing on each pageload. The captcha only took me a couple of hours to code, and I haven't had a single spambot registration since I wrote it.
My husband and I run a forum for homebuilt aircraft and we've already got bots doing this. We're using captchas at registration, an email activiation link AND we have to have a moderator personally approve every registration...... and we still have some spammers who get through. I'm really beginning to think that there is an army of them out there earning .01 per hour to actually read our site and create profiles that match our user base. Some of the spammers have gone as far as to create signature blocks stating which type of kit they are building and the tail number they've reserved from the FAA. The account gets approved and then we've got hundreds of V1@grA posts to clean up in the morning.
I read an advertisement recently -- apparently someone is collecting the URLs of web forum signup pages and then selling them to the botnets. I was thinking that maybe we could come up with a way of randomizing the signup page URL so that it would only work when the link is actually clicked on, but never got around to it. And let's be honest -- they'd figure that out too. *sigh*
--Insert catchy
So rather than put the burden of proof on humans to prove they're not a machine, put the burden of proof on the machines to prove they're a human?
Take your average HTML form:
Rather than have 1 textbox for a field value, have 10. UserName1, UserName2, UserName3, etc.
Use javascript to randomly assign one of them as visible. The rest are hidden from the user.
On the server, watch to see which textbox is filled. Presumably, with decent enough javascript skills, and stupid enough bots, your humans will fill out what they see, which is the correct combination. The bots won't.
Granted, this method can be defeated if the bot checks for field level visibility after the page finishes loading, but even then, with decent enough javascript, you can continue to provide unobtrusive checks to ensure that your user is real -- e.g., unless the bot is running a macro through a web browser itself, your onblur events probably won't be tripped. And so on.
This puts a burden on the developers to come up with clever ways of defeating the bots, but in reality, that's where the battle is -- html application devs. vs spambot devs. Users shouldn't have to be dragged into the middle.