Why the CAPTCHA Approach Is Doomed - Slashdot

Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

×

Why the CAPTCHA Approach Is Doomed 522

Posted by timothy on Wednesday April 08, 2009 @03:33PM from the how-do-you-feel-about-are-you-a-human dept.

TechnoBabble Pro writes "The CAPTCHA idea sounds simple: prevent bots from massively abusing a website (e.g. to get many email or social network accounts, and send spam), by giving users a test which is easy for humans, but impossible for computers. Is there really such a thing as a well-balanced CAPTCHA, easy on human eyes, but tough on bots? TechnoBabble Pro has a piece on 3 CAPTCHA gotchas which show why any puzzle which isn't a nuisance to legitimate users, won't be much hindrance to abusers, either. It looks like we need a different approach to stop the bots."

This discussion has been archived. No new comments can be posted.

Why the CAPTCHA Approach Is Doomed

Search 522 Comments Log In/Create an Account

Comments Filter:

Re:My solution is simple & elegant: (Score:5, Informative)

by Dynedain ( 141758 ) writes: <slashdot2NO@SPAManthonymclin.com> on Wednesday April 08, 2009 @03:48PM (#27508255) Homepage

The author was arguing that one of the primary reasons to do captcha breaking is to get freebee email accounts on GMail/Yahoo to send spam from.
Limit the email the account can send, and you reduce the desire for the account. Reduce the usefullness of the account, and you reduce the desire to crack the captcha on new account signups, or at least the profitability in doing so.
It's one approach that would make a difference, but it's clearly not the only solution.

Parent Share
twitter facebook
Re:That wooshing sound.... (Score:3, Informative)

by qoncept ( 599709 ) writes: on Wednesday April 08, 2009 @03:52PM (#27508315) Homepage

I think you're missing the point. CAPTCHA isn't a speed bump. Anyone that is going to take the time to make a bot to spam your site is going to take an extra minute to add a hack for your CAPTCHA or cat picture or sound or simple question. And saying you have to make CAPTCHA difficult for humans to read to be effective is a pretty major understatement. It should read "Computers are better at it than people."

Parent Share
twitter facebook
Wrong implementation (Score:4, Informative)

by js3 ( 319268 ) writes: on Wednesday April 08, 2009 @03:54PM (#27508351)

Most CAPTCHAs are hacked because their implementation is amatuerish. They are hacked by resusing session ids or dictionary attacks and nothing to do with actual image itself. Long story short CAPTCHAs reduce the amount of spam by more than 50% simply because it's not worth the effort for a spambot to break it, after all they have the entire internet to spam.
Some are good some are bad and most are downright horrible, but you wouldn't want your favorite forum to be trolled by spambots would ya? Might as well live with it. Nothing works 100% you should know that by now

Share
twitter facebook
Re:8==C=A=P=T=C=H=A==D (Score:4, Informative)

by clone53421 ( 1310749 ) writes: on Wednesday April 08, 2009 @03:54PM (#27508363) Journal

Already been done [thephppro.com].

Parent Share
twitter facebook
Re:Browsing Trends (Score:3, Informative)

by Attila Dimedici ( 1036002 ) writes: on Wednesday April 08, 2009 @04:07PM (#27508617)

I agree there are ways to circumvent it, but the majority of bots will not go to the trouble of doing that, and that's the key.
Another idea would be to observe mouse movements through Javascript to detect a real user. This would be VERY inefficient for a bot, and probably not worth the while.
This would work great until the majority of websites do it, then it is worth the overhead for the bot to go to the trouble of doing it. When CAPTCHA started it wasn't worth the bot writers' trouble to crack it. They just went to easier sites, but as more and more sites adopted CAPTCHA the value of cracking it became greater. Any successful system will eventually be adopted by a large enough number of websites to make it worth the bot writers' time to crack. At which time they will.

Parent Share
twitter facebook
Re:So what next? (Score:5, Informative)

by uhoreg ( 583723 ) writes: on Wednesday April 08, 2009 @05:00PM (#27509513) Homepage

This is known as hashcash [hashcash.org]. One big reason that it doesn't work on the web is that, currently, users will be stuck with some slow JavaScript version of the algorithm, while a sufficiently determined spammer can use a fast C version, and end up with much less work required to post. So it's nearly impossible to set a cost that is cheap enough for valid visitors, that will be a sufficient deterrent against spammers.

Parent Share
twitter facebook
Not really (Score:5, Informative)

by willy_me ( 212994 ) writes: on Wednesday April 08, 2009 @05:01PM (#27509523)

SPAM is sent from compromised computers. If you make people pay for posts then the owners of compromised computers will be billed - not the real senders of SPAM. Billing would help minimize the problem, but we would still receive a pile of SPAM. And a pile of people who only use their computer once a week would have to foot the bill.

Parent Share
twitter facebook
Re:That wooshing sound.... (Score:5, Informative)

by kwerle ( 39371 ) writes: <kurt@CircleW.org> on Wednesday April 08, 2009 @05:06PM (#27509619) Homepage Journal

Yup. I used PHPBB2 and changed the CAPTCHA code.
"Type the following text in the CAPTCHA box . Ignore the image below."
All spamming stopped. Regular users were fine.

Parent Share
twitter facebook
Re:That wooshing sound.... (Score:3, Informative)

by Java Pimp ( 98454 ) writes: on Wednesday April 08, 2009 @05:12PM (#27509713) Homepage

That's the way ReCaptcha works. It's more than an anti-spam device. It also serves as part of a service to help digitize old books and publications. The captchas are made from 2 parts, a word from a publication that OCR software couldn't figure out and a word that is known. To pass the captcha, you have to answer the known portion correctly. The system uses your answer to the unknown portion to help determine what that word might be.

Parent Share
twitter facebook
Re:I really like the concept behind Re-Captcha (Score:3, Informative)

by TheRaven64 ( 641858 ) writes: on Wednesday April 08, 2009 @05:33PM (#27509981) Journal

You can do this already, just go to the 'about' page on the site. When I first heard about ReCaptcha, I spent a little while filling them in to see how hard they were.

Parent Share
twitter facebook
Re:That wooshing sound.... (Score:2, Informative)

by Gamma747 ( 1438537 ) writes: on Wednesday April 08, 2009 @05:55PM (#27510329)

The problem is that a spambot that can break CAPTCHAs 10% of the time is good enough, but OCR systems have to be much more accurate.

Parent Share
twitter facebook
Re:Stuck in the old ways (Score:5, Informative)

by Eternauta3k ( 680157 ) writes: on Wednesday April 08, 2009 @06:05PM (#27510507) Homepage Journal

If your site gained any popularity, they would make bots specifically to register in your website.

Parent Share
twitter facebook
Re:That wooshing sound.... (Score:3, Informative)

by RobertB-DC ( 622190 ) * writes: on Wednesday April 08, 2009 @06:49PM (#27511125) Homepage Journal

I tend to think using Recaptcha just earns somebody money, it is not really doing any particular good for the world.
Would it be asking too much to suggest you check the FAQ [recaptcha.net] or About Us [recaptcha.net] links? Is it enough that "reCAPTCHA channels this human effort into helping to digitize books from the Internet Archive", or does it help that "reCAPTCHA is a project of the School of Computer Science at Carnegie Mellon University"?
Or perhaps you'll take the word of Science magazine [recaptcha.net]. Of course, the link is to a .pdf reprint hosted at recaptcha.net, so YMMV (depending on the tightness of your tinfoil hat). It could all be an evil spammer plot. Yes. Yes it could.

Parent Share
twitter facebook
Re:That wooshing sound.... (Score:4, Informative)

by bigbird ( 40392 ) writes: on Wednesday April 08, 2009 @10:06PM (#27512921) Homepage

Yes, me too. I simply ask "How do you spell spam?" for my question. Stopped the spambots in their tracks :)

Parent Share
twitter facebook
Re:That wooshing sound.... (Score:1, Informative)

by Anonymous Coward writes: on Thursday April 09, 2009 @03:17AM (#27514841)

I'm ashamed to say I've written spam-bots for myspace (on rentacoder.com), and that's just not true. It really doesn't cost much to make a spam-bot, students like myself are very cheap (and I'm in a 1st world country).

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

390 comments32-Hour Workweek for America Proposed by Senator Bernie Sanders
358 commentsWhat Should Happen to Empty Downtown Office Spaces?
340 commentsHacktivism Erupts In Response To Hamas-Israel War
324 comments'Feedback' Is Now Too Harsh. The New Word is 'Feedforward'
248 commentsWorkers are Resisting Calls to Return to Offices

I have hardly ever known a mathematician who was capable of reasoning. -- Plato