Slashdot Mirror
Why the CAPTCHA Approach Is Doomed
TechnoBabble Pro writes "The CAPTCHA idea sounds simple: prevent bots from massively abusing a website (e.g. to get many email or social network accounts, and send spam), by giving users a test which is easy for humans, but impossible for computers. Is there really such a thing as a well-balanced CAPTCHA, easy on human eyes, but tough on bots? TechnoBabble Pro has a piece on 3 CAPTCHA gotchas which show why any puzzle which isn't a nuisance to legitimate users, won't be much hindrance to abusers, either. It looks like we need a different approach to stop the bots."
So if the CAPTCHA is doomed, what is the next approach? Letting spam bots go rampant over a site is not an acceptable alternative.
Jumpstart the tartan drive.
...is the point going right over the author's head.
A CAPTCHA works well enough for the same reason greylisting works well enough. They may be trivial to bypass (for some definition of 'trivial'), buy many applications only need a tiny speed-bump to make a huge difference in undesirable traffic.
That's where the issue is.
I've been a nerd since I was born. Grew up with early computers. Watched them evolve until now. But nothing makes me feel dumber than trying a CAPTCHA 5 or 6 times and failing every time. Its a serious annoyance and I've seen WORSE that I haven't even attempted.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
impose default caps on sent emails per account, IP, whatever, until the sender has been established as a legit sender of mass mails.
What does this have to do with the subject of website captchas?
If libertarians are so opposed to effective government, why don't they all move to Somalia?
... which is another way of saying they really doesn't work at all. Both annoy legitimate customers and users while still allowing those with nefarious motives to do whatever they wanted to do in the first place.
If someone says he and his monkey have nothing to hide, they almost certainly do.
Everyone seems to think that the answer to this is to challenge the user somehow. Why isn't a technical solution possible that doesn't require any interaction from a person?
On my own contact forms, I use a really simple obfuscation technique, it doesn't require any user interaction, and I don't get any spam. I've chosen to name my form elements with meaningless names, because obviously automated spammers rely on field names to fill in the blanks. If they see a form like this:
<input type="text" name="email">
<input type="text" name="subject">
<input type="text" name="message">
Obviously it's pretty easy to fill out. If they see this instead:
<input type="text" name="sj38d74j">
<input type="text" name="9sk2i84h">
<input type="text" name="m29s784j">
Then they probably won't even make it past the email validation part, unless they catch the error that my page is printing and try all combinations (or get lucky).
It makes it even more effective when you use fields with good names, but hide them from users with either CSS or Javascript:
<input type="text" name="email" style="display: none;">
That's a honeypot, if it's filled out then it's a robot. You can use the same CSS or Javascript techniques to also print messages informing users not to fill those out if their browser decides to not run my code and instead shows them.
Really simple solution, requiring no user interaction, and is at least if not more effective than a challenge and response type of solution. I don't know why everyone is hung up on a visual challenge when it's a lot easier to distinguish between a real web browser and a scraper that doesn't bother to execute Javascript or apply CSS. I've been saying this for years though, so I don't really expect anyone to start paying attention now.. at least my own inbox is spam-free though.
Because an open ended question would get a million different responses.
And having the user select a radio button would narrow the probability down to 1/X choices. And when you have a million bots, 1/x is more than enough to get your spam out.
All the bot needs to do is do a google search for "site:example.com", hit a random sampling of the results, and then register.
In the grand scheme of things, it probably only adds a few percent of overhead for the bot.
I have suggested a solution more times than I care to count:
There's your first clue that maybe your solution isn't the be-all-end-all you think it is.
impose default caps on sent emails per account, IP, whatever, until the sender has been established as a legit sender of mass mails.
OK, but who are you suggesting should impose these default caps? ISPs? That's fine, but the only way an ISP can do this is by firewalling outbound port 25 and requiring all their customers to relay mail through the ISP's mail server. A lot of ISPs do this and I wish more of them would, but it can cause problems for customers (if you're required to relay through your company's SMTP server instead and they haven't configured an alternate port such as 587, or if the ISP's SMTP server is poorly configured/overloaded/hacked/broken, then the user can't send mail and the resulting customer service calls are pretty expensive for the ISP and could drive the customer to leave).
On top of that, a lot of people are migrating away from traditional POP3/IMAP/SMTP e-mail accounts, and just using webmail services instead. Webmail services, of course, can impose all kinds of limits on the activities of their users, but these limits only make sense on a per-account basis. You can't put limits on the number of messages sent from one IP address regardless of who's logged in, because there could be 300 different users all connecting through a proxy server on one IP, and you have no way to tell the difference.
So, you have to limit each account. But a spammer can easily sign up for multiple accounts, using an automated program! Then they can get around your restrictions, by logging in on 300 different accounts and sending one e-mail from each of them. How do you prevent this?
By using a CAPTCHA.
Which is what we're talking about.
Thanks for playing!
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
CAPTCHAs are simple Turing tests. As computers get faster and software gets smarter, it will become harder and harder to tell them apart. Also, since humans have a broad spectrum of ability, there will be an increasing percentage of humans who can not pass the tests.
For example, math students who can not tell a Rembrandt from a Picasso, and art students who can't determine the roots of a simple quadratic. (See, I'm not picking on anyone in particular - we are all ignorant in most fields.)
In future we will get to a point where the computers can design CAPTCHAs that no human can solve, but robots can!
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
Still won't defeat the army of underpaid workers to do it.
Disclaimer: I am not god.
We may not be created equal
But we can be treated equal.
...until AI gets smart enough to answer questions intuitively.
It's REALLY HARD to automatically generate random questions that an average human can answer easily, but that current AI technology can't answer just as easily. Of course you can come up with questions yourself, and compile a list of them, but if you've only got a list of a hundred questions, then all the spammer has to do is figure out the answers to your hundred questions, and then he has free reign to do whatever he wants. Or, come up with the answer to ONE of them, and he has free reign to do whatever he wants at 1% the speed he could otherwise, which is still a hell of a lot of spam.
If you don't believe me, you try writing software that will generate random questions. Here's my stab at it, which would barely slow a spammer down.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Most posts on this topic have been along the lines of, "Maybe CAPTCHAs as they are implement now don't work, but here is a method that is trivial for people but hard for computers."
TFA's best argument, in my opinion, was that it is trivially inexpensive for a spammer to simply hire people to break CAPTCHAs. So, a method that doesn't annoy people but is hard for computers still won't work because the spammer will just use people. This is not a topic I know a lot about (not being a spammer I don't know what kind of revenue they generate) but would like to hear a response to this. Is the TFA off its gourd and better technology really will solve this problem? Or is gate-keeping for free services essentially pointless?
Greylisting only works because many sites don't use it; if everybody used it, it would stop working.
The economics of CAPTCHAs are even less favorable, since the cost of breaking a CAPTCHA is small compared to the cost of what the bot actually does after it has broken it.
Would it really be that hard to have a picture of a rabbit and set it to accept bunny or rabit or even hare?
When you spell it "rabit", it is.
Everyone has a great idea for a CAPTCHA, but very few people know what the hell is really going on. Remember that the machine doesn't need to solve the CAPTCHA every time, that machines are infinitely patient and have huge memories, and that another machine needs to make sure the human gave the right answer!
Ideas that won't work:
Really, it's very easy to think you've come up with a very clever CAPTCHA. When you think that, all you've done is stoked your ego and screwed yourself over. It's the same reason why we don't roll our own cryptography: CAPTCHA-making is a very hard problem, mainly because your problem space must be infinite (to avoid an attacking machine simply memorizing answers), the answers verifiable by a machine, but the problems not solvable by a machine.
How many questions can be checked by machines but not answered by them?
Not many; fewer every day. There are no questions that can't be answered by a computer (and which can be answered by a human mind). The Church-Turing thesis [wikipedia.org] has some validity: the human mind is no more powerful than a turing machine, and ultimately, computers and our brains are equivalently computationally. There's nothing a computer can't solve: there are just things we haven't figured out yet.
While that may be effective for the moment, as soon as a webmail provider starts using it, it'll be cracked overnight.
Limit the email the account can send, and you reduce the desire for the account. Reduce the usefullness of the account, and you reduce the desire to crack the captcha on new account signups, or at least the profitability in doing so.
Doesn't this increase the desire to get more accounts faster?
Sometimes, the captchas are ALWAYS unsolvable, like one site that uses complimentary colours of the same intensity. That works well unless you can't read text on a complimentary colour background, in which case you're always fscked. I am one of those.
Sounds like an animated captcha could be an alternative approach, since here you could vary the intensity over time. Of course the animated captcha should only be server generated series of bitmaps or vectors, and not be client generated (Flash would fail), for obvious reasons.
Jumpstart the tartan drive.
It's worse than that. Any free or recipient-pays message system is subject to exactly the same amount of abuse. When sending a message costs nothing, the marginal cost of advertising is zero. As long as the marginal gain is non-zero, however small, volume will go to infinity. You can filter and legislate to reduce the volume of this advertising, but you'll never actually eliminate it. These countermeasures just bring the marginal cost of email up to slightly above zero --- but not nearly high enough to discourage spam.
Email isn't special. SMTP is fine. There was fax-machine spam long before even Compuserve. Today, we see text message spam, Facebook spam, MySpace spam, and so on. Email itself isn't the problem. Changing what you call the system doesn't change how it works. It's recipient-pays messaging that's the problem.
Sure, sender-pay systems like the postal service see some volume of advertising, but the volume is kept down by the relatively high marginal cost. Ultimately, I don't see a way of reconciling free anonymous messaging with a spam-free inbox.
We all bloody well know how to get rid of spam but nobody ever talks about the real culprits. The credit card companies. The ones who facilitate the way for spammers to make money. Unfortunately the CC companies make money so they don't care, but let's face it, if the CC companies decided to get rid of spam and lose the income, it could be wiped out in a week. All they would have to do is deny any payments to somebody suspected of spam - problem solved - I never hear anybody bitch about the root of the problem which is the ability to recieve payments.
Stay tuned for new sig...
If the computer was so compromised that the spambot was able to log-in to secure websites (which any site that used a pay-to-post system would need to be) as if it was the legitimate operator of the computer, it makes sense to charge the operator of the computer. This will also, very quickly, encourage adoption of good security practices, as when the improper activity is (a) visible to the owner of the computer, and (b) has a direct financial cost to the owner of the computer, it won't continue without some kind of effective response. Spam bots operate on people's computers because they can do so without the owner of the computer ever realizing it. If every piece of spam sent out resulted in an immediate financial transaction for which the owner of the computer was responsible, you can bet that that owner would (a) notice, and (b) do whatever was necessary to stop the spam.
It is a task for United Nations. Spam is causing a major damage to the world economy via lost work time, traffic, etc. We need international enforceable laws, which would make spam illegal and inevitable punishable worldwide.
It is a bog problem and requires a big solution.
Our leaders shall overcome their cultural shock, phase out activities in local organizations, like EU, NATO, CIS, etc., and begin to work in a global setup, the UN, the WTU - world telecommunication union, Interpol, UNICEF, etc.
What is the point of fighting spam in, say, the USA, if it will continue to pour in from, say, Indonesia?