Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why the CAPTCHA Approach Is Doomed

Posted by timothy on from the how-do-you-feel-about-are-you-a-human dept.

TechnoBabble Pro writes "The CAPTCHA idea sounds simple: prevent bots from massively abusing a website (e.g. to get many email or social network accounts, and send spam), by giving users a test which is easy for humans, but impossible for computers. Is there really such a thing as a well-balanced CAPTCHA, easy on human eyes, but tough on bots? TechnoBabble Pro has a piece on 3 CAPTCHA gotchas which show why any puzzle which isn't a nuisance to legitimate users, won't be much hindrance to abusers, either. It looks like we need a different approach to stop the bots."

16 of 522 comments (clear)

  1. That wooshing sound.... by ivan256 · · Score: 5, Insightful

    ...is the point going right over the author's head.

    A CAPTCHA works well enough for the same reason greylisting works well enough. They may be trivial to bypass (for some definition of 'trivial'), buy many applications only need a tiny speed-bump to make a huge difference in undesirable traffic.

    1. Re:That wooshing sound.... by Lord+Ender · · Score: 4, Insightful

      CAPTCHAs have moved far past "tiny speed bumps" for me. Many are case sensitive yet vary letter size greatly; they use fonts which make the number 1 and the letter l identical; and they smash things together making, for example "m" and "n n" identical.

      Implementers also suck royally. Sites often require a long list of information be typed, including redundant passwords. Then they lose ALL that information when you get the CAPTCHA wrong. Some get caching all screwed up. It's a mess.

      CAPTCHAs today are so much worse than "speed bumps" for regular users, that I'm beginning to wonder whether I, myself, am a bot. The internet is becoming unusable to me.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    2. Re:That wooshing sound.... by ivan256 · · Score: 3, Insightful

      Almost nobody takes the time to make a spam-bot.

      Some 90% brain-dead excuse for human life takes something off the shelf and points it at whatever software you're running. Unless you're one of the most visited sites on the net, a minor modification to the code, and a manually integrated captcha is going to stop practically everybody from spamming your site.

  2. Re:So what next? by Anonymous Coward · · Score: 3, Insightful

    R'ing TFA would be a start :P (he has solutions at the bottom)

  3. Annoyance by Renraku · · Score: 4, Insightful

    That's where the issue is.

    I've been a nerd since I was born. Grew up with early computers. Watched them evolve until now. But nothing makes me feel dumber than trying a CAPTCHA 5 or 6 times and failing every time. Its a serious annoyance and I've seen WORSE that I haven't even attempted.

    --
    Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
  4. CAPTCHAs work as well as DRM... by Anita+Coney · · Score: 3, Insightful

    ... which is another way of saying they really doesn't work at all. Both annoy legitimate customers and users while still allowing those with nefarious motives to do whatever they wanted to do in the first place.

    --
    If someone says he and his monkey have nothing to hide, they almost certainly do.
  5. Stuck in the old ways by Anonymous Coward · · Score: 5, Insightful

    Everyone seems to think that the answer to this is to challenge the user somehow. Why isn't a technical solution possible that doesn't require any interaction from a person?

    On my own contact forms, I use a really simple obfuscation technique, it doesn't require any user interaction, and I don't get any spam. I've chosen to name my form elements with meaningless names, because obviously automated spammers rely on field names to fill in the blanks. If they see a form like this:

    <input type="text" name="email">
    <input type="text" name="subject">
    <input type="text" name="message">

    Obviously it's pretty easy to fill out. If they see this instead:

    <input type="text" name="sj38d74j">
    <input type="text" name="9sk2i84h">
    <input type="text" name="m29s784j">

    Then they probably won't even make it past the email validation part, unless they catch the error that my page is printing and try all combinations (or get lucky).

    It makes it even more effective when you use fields with good names, but hide them from users with either CSS or Javascript:

    <input type="text" name="email" style="display: none;">

    That's a honeypot, if it's filled out then it's a robot. You can use the same CSS or Javascript techniques to also print messages informing users not to fill those out if their browser decides to not run my code and instead shows them.

    Really simple solution, requiring no user interaction, and is at least if not more effective than a challenge and response type of solution. I don't know why everyone is hung up on a visual challenge when it's a lot easier to distinguish between a real web browser and a scraper that doesn't bother to execute Javascript or apply CSS. I've been saying this for years though, so I don't really expect anyone to start paying attention now.. at least my own inbox is spam-free though.

  6. Re:8==C=A=P=T=C=H=A==D by 0100010001010011 · · Score: 4, Insightful

    Because an open ended question would get a million different responses.

    And having the user select a radio button would narrow the probability down to 1/X choices. And when you have a million bots, 1/x is more than enough to get your spam out.

  7. Re:8==C=A=P=T=C=H=A==D by VeNoM0619 · · Score: 3, Insightful

    Still won't defeat the army of underpaid workers to do it.

    --
    Disclaimer: I am not god.
    We may not be created equal
    But we can be treated equal.
  8. Re:question and answer seem to work well by Phroggy · · Score: 3, Insightful

    ...until AI gets smart enough to answer questions intuitively.

    It's REALLY HARD to automatically generate random questions that an average human can answer easily, but that current AI technology can't answer just as easily. Of course you can come up with questions yourself, and compile a list of them, but if you've only got a list of a hundred questions, then all the spammer has to do is figure out the answers to your hundred questions, and then he has free reign to do whatever he wants. Or, come up with the answer to ONE of them, and he has free reign to do whatever he wants at 1% the speed he could otherwise, which is still a hell of a lot of spam.

    If you don't believe me, you try writing software that will generate random questions. Here's my stab at it, which would barely slow a spammer down.

    --
    $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
    $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
  9. What about the economic argument? by Binty · · Score: 4, Insightful

    Most posts on this topic have been along the lines of, "Maybe CAPTCHAs as they are implement now don't work, but here is a method that is trivial for people but hard for computers."

    TFA's best argument, in my opinion, was that it is trivially inexpensive for a spammer to simply hire people to break CAPTCHAs. So, a method that doesn't annoy people but is hard for computers still won't work because the spammer will just use people. This is not a topic I know a lot about (not being a spammer I don't know what kind of revenue they generate) but would like to hear a response to this. Is the TFA off its gourd and better technology really will solve this problem? Or is gate-keeping for free services essentially pointless?

  10. there's another woosh over your head by speedtux · · Score: 3, Insightful

    Greylisting only works because many sites don't use it; if everybody used it, it would stop working.

    The economics of CAPTCHAs are even less favorable, since the cost of breaking a CAPTCHA is small compared to the cost of what the bot actually does after it has broken it.

  11. (Repost) A Few Common Captcha Fallacies by QuoteMstr · · Score: 4, Insightful

    Everyone has a great idea for a CAPTCHA, but very few people know what the hell is really going on. Remember that the machine doesn't need to solve the CAPTCHA every time, that machines are infinitely patient and have huge memories, and that another machine needs to make sure the human gave the right answer!

    Ideas that won't work:

    1. Make clients identify an object from a picture. Machines can't describe objects in pictures: if machines can't describe the picture, how the hell is the CAPTCHA server supposed to verify that the client gave the correct answer? If a human being manually inputs the pictures and acceptable descriptions for each, then another human can program his attacking machine to do the same thing! Having a large, but finite set of pictures doesn't help either since a machine doesn't need to solve the CAPTCHA every time. It can just learn the correct responses without actually understanding the image. ANY APPROACH BASED ON IDENTIFYING A MEMBER OF A FINITE SET DOES NOT WORK AS A CAPTCHA.
    2. As a special case of #2, QUIZZES DO NOT WORK: either the questions are finite and subject to attacker memorization, or the number of patterns for the question is finite, and these patterns can be detected by a machine. (Consider "A train is coming from Denver at X miles per hour..." --- same problem, different coefficients)
    3. Send the client a special program that verifies he's real: if it doesn't work for DRM, it won't work for CAPTCHAs. An attacker can just program his machine to simulate slow typing, slow thinking, or a cross-eyed human being. YOU CANNOT CONTROL THE EXECUTION ENVIRONMENT. No amount of Javascript obfuscation, encryption, or header-checking will make the slightest bit of difference for a determined hacker.
    4. As a special case of #3, TIMING ANALYSIS DOES NOT WORK. Machines can simulate arbitrary delays.
    5. Limiting CAPTCHA-solving attempts by cookie/IP address/etc.: that doesn't work. Attackers don't obey web standards, and have botnets

    Really, it's very easy to think you've come up with a very clever CAPTCHA. When you think that, all you've done is stoked your ego and screwed yourself over. It's the same reason why we don't roll our own cryptography: CAPTCHA-making is a very hard problem, mainly because your problem space must be infinite (to avoid an attacking machine simply memorizing answers), the answers verifiable by a machine, but the problems not solvable by a machine.

    How many questions can be checked by machines but not answered by them?

    Not many; fewer every day. There are no questions that can't be answered by a computer (and which can be answered by a human mind). The Church-Turing thesis [wikipedia.org] has some validity: the human mind is no more powerful than a turing machine, and ultimately, computers and our brains are equivalently computationally. There's nothing a computer can't solve: there are just things we haven't figured out yet.

  12. Re:It's a Turing test by QuoteMstr · · Score: 4, Insightful

    A CAPTCHA is not a Turing test. A Turing test requires that a person tell a computer and a human apart; the CAPTCHA problem is harder, from a certain point of view, because a computer is required to tell a human and a computer apart.

  13. Re:My solution is simple & elegant: by lewiscr · · Score: 5, Insightful

    Limit the email the account can send, and you reduce the desire for the account. Reduce the usefullness of the account, and you reduce the desire to crack the captcha on new account signups, or at least the profitability in doing so.

    Doesn't this increase the desire to get more accounts faster?

  14. Re:So what next? by Dishevel · · Score: 3, Insightful

    Isn't that what is actually already implemented?

    --
    Why is it so hard to only have politicians for a few years, then have them go away?