Slashdot Mirror
Why the CAPTCHA Approach Is Doomed
TechnoBabble Pro writes "The CAPTCHA idea sounds simple: prevent bots from massively abusing a website (e.g. to get many email or social network accounts, and send spam), by giving users a test which is easy for humans, but impossible for computers. Is there really such a thing as a well-balanced CAPTCHA, easy on human eyes, but tough on bots? TechnoBabble Pro has a piece on 3 CAPTCHA gotchas which show why any puzzle which isn't a nuisance to legitimate users, won't be much hindrance to abusers, either. It looks like we need a different approach to stop the bots."
...is the point going right over the author's head.
A CAPTCHA works well enough for the same reason greylisting works well enough. They may be trivial to bypass (for some definition of 'trivial'), buy many applications only need a tiny speed-bump to make a huge difference in undesirable traffic.
...until AI gets smart enough to answer questions intuitively.
"To err is human, to mod Funny divine."
That's where the issue is.
I've been a nerd since I was born. Grew up with early computers. Watched them evolve until now. But nothing makes me feel dumber than trying a CAPTCHA 5 or 6 times and failing every time. Its a serious annoyance and I've seen WORSE that I haven't even attempted.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
This troll actually gave me an idea. Why not ascii art?
Give an ascii art picture and asc the user to tell what it is.
In this case cock would let you through.
"I don't have to think. I only have to do it. The results are always perfect, but that's old news." - Meat Puppets
... you are a computer. Life, er, up-time will be easier.
The world is made by those who show up for the job.
So if the CAPTCHA is doomed, what is the next approach?
Torture
Help fight spam
Everyone seems to think that the answer to this is to challenge the user somehow. Why isn't a technical solution possible that doesn't require any interaction from a person?
On my own contact forms, I use a really simple obfuscation technique, it doesn't require any user interaction, and I don't get any spam. I've chosen to name my form elements with meaningless names, because obviously automated spammers rely on field names to fill in the blanks. If they see a form like this:
<input type="text" name="email">
<input type="text" name="subject">
<input type="text" name="message">
Obviously it's pretty easy to fill out. If they see this instead:
<input type="text" name="sj38d74j">
<input type="text" name="9sk2i84h">
<input type="text" name="m29s784j">
Then they probably won't even make it past the email validation part, unless they catch the error that my page is printing and try all combinations (or get lucky).
It makes it even more effective when you use fields with good names, but hide them from users with either CSS or Javascript:
<input type="text" name="email" style="display: none;">
That's a honeypot, if it's filled out then it's a robot. You can use the same CSS or Javascript techniques to also print messages informing users not to fill those out if their browser decides to not run my code and instead shows them.
Really simple solution, requiring no user interaction, and is at least if not more effective than a challenge and response type of solution. I don't know why everyone is hung up on a visual challenge when it's a lot easier to distinguish between a real web browser and a scraper that doesn't bother to execute Javascript or apply CSS. I've been saying this for years though, so I don't really expect anyone to start paying attention now.. at least my own inbox is spam-free though.
The author was arguing that one of the primary reasons to do captcha breaking is to get freebee email accounts on GMail/Yahoo to send spam from.
Limit the email the account can send, and you reduce the desire for the account. Reduce the usefullness of the account, and you reduce the desire to crack the captcha on new account signups, or at least the profitability in doing so.
It's one approach that would make a difference, but it's clearly not the only solution.
I'm out of my mind right now, but feel free to leave a message.....
Because an open ended question would get a million different responses.
And having the user select a radio button would narrow the probability down to 1/X choices. And when you have a million bots, 1/x is more than enough to get your spam out.
Spam-filters analogous to those applied to email seem to be increasingly used as plugins to various blog engines.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Now, I didn't say you'd LIKE what 's next...
RS
Shoes for Industry. Shoes for the Dead.
Maybe a different type of system? Show a series of animals and ask which one is a pet. Show a series of letters and ask which one is the vowel. A series of types of food and ask which one would go best with Natalie Portman. Show an action shot and a series of similar actions, ask which one would occur in Soviet Russia.
"Never let your sense of morals prevent you from doing what is right" - Salvor Hardin
The more effort someone is willing to put out to prove they are human or are backed by a human willing to be responsible for problems, the more abuse-able services you give them.
For example, e-mail service providers could offer several tiers:
Simple signup/new accounts:
Limited number and size of incoming and outgoing messages.
Verified signup/driver's license with confirmation by paper mail:
Nearly-full, with shutoff or limitations imposed at first sign of abuse.
Verified signup/credit card with confirmation:
Nearly-full, with shutoff or limitations imposed at first sign of abuse.
Established account, with a pattern of usage indicative of a human over a period of several weeks:
Nearly-full, with shutoff or limitations imposed at first sign of abuse.
Credentialed user, backed by a substantial bond or deposit and an explanation of why suspicious behavior really is legitimate:
Full access plus a free pass on "legitimate" suspicious behavior until someone complains, but if it's abused then throttle him and take the costs out of his deposit.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Solve the following math problem to continue:
1/0 = ?
There are a few flaws with this idea. Primarily that it blocks colorblind individuals from registering for the site, and there are much more colorblind internet users than visually and hearing impaired.
This is also not very difficult to break. Assuming that the letters and numbers aren't obfuscated the same way CAPTCHA images are (if they are then this is just another CAPTCHA), a bot would be able to parse the characters out of the image. It could then classify the characters into groups of colors, pick one group randomly, and guess. There couldn't be more than four or five colors in the image since asking to differentiate between aqua/navy/royal/pale blue is unreasonable for a human (but interestingly enough, not difficult for a computer). That would give you a bot with a ~20-25% accuracy rate.
Beyond that, you could parse the question as well, looking for the words red, blue, green, black, etc. and classify ranges of hex colors into associated color names. That would greatly increase success rate of guesses.
This is not a reliable CAPTCHA replacement and in fact seems not very difficult to break.
This is my favorite captcha, some are ridiculous: http://random.irb.hr/signup.php
Refresh the page a bit, fun to see what you can get.
Sturgeon was an optimist.
Most posts on this topic have been along the lines of, "Maybe CAPTCHAs as they are implement now don't work, but here is a method that is trivial for people but hard for computers."
TFA's best argument, in my opinion, was that it is trivially inexpensive for a spammer to simply hire people to break CAPTCHAs. So, a method that doesn't annoy people but is hard for computers still won't work because the spammer will just use people. This is not a topic I know a lot about (not being a spammer I don't know what kind of revenue they generate) but would like to hear a response to this. Is the TFA off its gourd and better technology really will solve this problem? Or is gate-keeping for free services essentially pointless?
Charge a fee. It doesn't have to be money. It could be cycles.
Have the client hash the message append some random characters to the end of the message. Have it change vary the characters until the hash matches some pre-defined pattern before sending. Cheap to verify on the incoming machine (just one hash), arbitrarily expensive on the sending machine. Your requirement can be for a certain number of characters or a specific sequence of bits, all the way up to the bitlength of the hash.
It doesn't answer the question of "is the sender a human" but it does answer the question of "how much is this message worth to the sender." The beauty of it is that that is sufficient.
If the spammer is using a dedicated server, you can limit the amount of spam they can send arbitrarily. Imagine how profitable a spam server would be if it cost $3k to send 86,400 messages per day? If the spammer is using a botnet, that scales a little better for them, but since it chews up cycles, it's going to make their operation noticeable to users.
There are probably better ways even than that, and someone will eventually find one that is more deterministic (it's unlikely, but there's a chance that someone could just be unlucky enough to never be able to chance on the right sequence using a psuedorandom perturbation approach)
I didn't think of this though, so there might be some patents. Google for message digest spam control or something like that to see some papers.
Can you be Even More Awesome?!
So if the CAPTCHA is doomed, what is the next approach?
Torture
You mean, TORTCHA?
Place Goatse on the front page. After everyone's eyes are bleeding, the only remaining visitors will then be robots. Behold, you have isolated the set of spambots from the set of humans.
Inverting the set to get the humans instead of the bots is left as a trivial exercise to the reader.
Pardon me, but I do believe that Natalie Portman can be both a pet AND a tasty treat.
Everyone has a great idea for a CAPTCHA, but very few people know what the hell is really going on. Remember that the machine doesn't need to solve the CAPTCHA every time, that machines are infinitely patient and have huge memories, and that another machine needs to make sure the human gave the right answer!
Ideas that won't work:
Really, it's very easy to think you've come up with a very clever CAPTCHA. When you think that, all you've done is stoked your ego and screwed yourself over. It's the same reason why we don't roll our own cryptography: CAPTCHA-making is a very hard problem, mainly because your problem space must be infinite (to avoid an attacking machine simply memorizing answers), the answers verifiable by a machine, but the problems not solvable by a machine.
How many questions can be checked by machines but not answered by them?
Not many; fewer every day. There are no questions that can't be answered by a computer (and which can be answered by a human mind). The Church-Turing thesis [wikipedia.org] has some validity: the human mind is no more powerful than a turing machine, and ultimately, computers and our brains are equivalently computationally. There's nothing a computer can't solve: there are just things we haven't figured out yet.
A CAPTCHA is not a Turing test. A Turing test requires that a person tell a computer and a human apart; the CAPTCHA problem is harder, from a certain point of view, because a computer is required to tell a human and a computer apart.
This is known as hashcash. One big reason that it doesn't work on the web is that, currently, users will be stuck with some slow JavaScript version of the algorithm, while a sufficiently determined spammer can use a fast C version, and end up with much less work required to post. So it's nearly impossible to set a cost that is cheap enough for valid visitors, that will be a sufficient deterrent against spammers.
To get something done, a committee should consist of no more than three persons, two of them absent.
SPAM is sent from compromised computers. If you make people pay for posts then the owners of compromised computers will be billed - not the real senders of SPAM. Billing would help minimize the problem, but we would still receive a pile of SPAM. And a pile of people who only use their computer once a week would have to foot the bill.
Well you know what they say: "You can't have your Natalie Portman and eat her too..." ...or something like that.
Limit the email the account can send, and you reduce the desire for the account. Reduce the usefullness of the account, and you reduce the desire to crack the captcha on new account signups, or at least the profitability in doing so.
Doesn't this increase the desire to get more accounts faster?