Why the CAPTCHA Approach Is Doomed 522
TechnoBabble Pro writes "The CAPTCHA idea sounds simple: prevent bots from massively abusing a website (e.g. to get many email or social network accounts, and send spam), by giving users a test which is easy for humans, but impossible for computers. Is there really such a thing as a well-balanced CAPTCHA, easy on human eyes, but tough on bots? TechnoBabble Pro has a piece on 3 CAPTCHA gotchas which show why any puzzle which isn't a nuisance to legitimate users, won't be much hindrance to abusers, either. It looks like we need a different approach to stop the bots."
So what next? (Score:2, Insightful)
So if the CAPTCHA is doomed, what is the next approach? Letting spam bots go rampant over a site is not an acceptable alternative.
That wooshing sound.... (Score:5, Insightful)
...is the point going right over the author's head.
A CAPTCHA works well enough for the same reason greylisting works well enough. They may be trivial to bypass (for some definition of 'trivial'), buy many applications only need a tiny speed-bump to make a huge difference in undesirable traffic.
Re:So what next? (Score:3, Insightful)
Annoyance (Score:5, Insightful)
That's where the issue is.
I've been a nerd since I was born. Grew up with early computers. Watched them evolve until now. But nothing makes me feel dumber than trying a CAPTCHA 5 or 6 times and failing every time. Its a serious annoyance and I've seen WORSE that I haven't even attempted.
Re:My solution is simple & elegant: (Score:1, Insightful)
impose default caps on sent emails per account, IP, whatever, until the sender has been established as a legit sender of mass mails.
What does this have to do with the subject of website captchas?
CAPTCHAs work as well as DRM... (Score:4, Insightful)
... which is another way of saying they really doesn't work at all. Both annoy legitimate customers and users while still allowing those with nefarious motives to do whatever they wanted to do in the first place.
Stuck in the old ways (Score:5, Insightful)
Everyone seems to think that the answer to this is to challenge the user somehow. Why isn't a technical solution possible that doesn't require any interaction from a person?
On my own contact forms, I use a really simple obfuscation technique, it doesn't require any user interaction, and I don't get any spam. I've chosen to name my form elements with meaningless names, because obviously automated spammers rely on field names to fill in the blanks. If they see a form like this:
<input type="text" name="email">
<input type="text" name="subject">
<input type="text" name="message">
Obviously it's pretty easy to fill out. If they see this instead:
<input type="text" name="sj38d74j">
<input type="text" name="9sk2i84h">
<input type="text" name="m29s784j">
Then they probably won't even make it past the email validation part, unless they catch the error that my page is printing and try all combinations (or get lucky).
It makes it even more effective when you use fields with good names, but hide them from users with either CSS or Javascript:
<input type="text" name="email" style="display: none;">
That's a honeypot, if it's filled out then it's a robot. You can use the same CSS or Javascript techniques to also print messages informing users not to fill those out if their browser decides to not run my code and instead shows them.
Really simple solution, requiring no user interaction, and is at least if not more effective than a challenge and response type of solution. I don't know why everyone is hung up on a visual challenge when it's a lot easier to distinguish between a real web browser and a scraper that doesn't bother to execute Javascript or apply CSS. I've been saying this for years though, so I don't really expect anyone to start paying attention now.. at least my own inbox is spam-free though.
Re:8==C=A=P=T=C=H=A==D (Score:5, Insightful)
Because an open ended question would get a million different responses.
And having the user select a radio button would narrow the probability down to 1/X choices. And when you have a million bots, 1/x is more than enough to get your spam out.
Re:So what next? (Score:3, Insightful)
So if the CAPTCHA is doomed, what is the next approach? Letting spam bots go rampant over a site is not an acceptable alternative.
The next thing to do is to close the services that needs (CAPTCHA) spam projection. This means no more free email. Get used to paying.
Re:Browsing Trends (Score:3, Insightful)
All the bot needs to do is do a google search for "site:example.com", hit a random sampling of the results, and then register.
In the grand scheme of things, it probably only adds a few percent of overhead for the bot.
Re:My solution is simple & elegant: (Score:3, Insightful)
I have suggested a solution more times than I care to count:
There's your first clue that maybe your solution isn't the be-all-end-all you think it is.
impose default caps on sent emails per account, IP, whatever, until the sender has been established as a legit sender of mass mails.
OK, but who are you suggesting should impose these default caps? ISPs? That's fine, but the only way an ISP can do this is by firewalling outbound port 25 and requiring all their customers to relay mail through the ISP's mail server. A lot of ISPs do this and I wish more of them would, but it can cause problems for customers (if you're required to relay through your company's SMTP server instead and they haven't configured an alternate port such as 587, or if the ISP's SMTP server is poorly configured/overloaded/hacked/broken, then the user can't send mail and the resulting customer service calls are pretty expensive for the ISP and could drive the customer to leave).
On top of that, a lot of people are migrating away from traditional POP3/IMAP/SMTP e-mail accounts, and just using webmail services instead. Webmail services, of course, can impose all kinds of limits on the activities of their users, but these limits only make sense on a per-account basis. You can't put limits on the number of messages sent from one IP address regardless of who's logged in, because there could be 300 different users all connecting through a proxy server on one IP, and you have no way to tell the difference.
So, you have to limit each account. But a spammer can easily sign up for multiple accounts, using an automated program! Then they can get around your restrictions, by logging in on 300 different accounts and sending one e-mail from each of them. How do you prevent this?
By using a CAPTCHA.
Which is what we're talking about.
Thanks for playing!
It's a Turing test (Score:2, Insightful)
CAPTCHAs are simple Turing tests. As computers get faster and software gets smarter, it will become harder and harder to tell them apart. Also, since humans have a broad spectrum of ability, there will be an increasing percentage of humans who can not pass the tests.
For example, math students who can not tell a Rembrandt from a Picasso, and art students who can't determine the roots of a simple quadratic. (See, I'm not picking on anyone in particular - we are all ignorant in most fields.)
In future we will get to a point where the computers can design CAPTCHAs that no human can solve, but robots can!
Re:That wooshing sound.... (Score:5, Insightful)
CAPTCHAs have moved far past "tiny speed bumps" for me. Many are case sensitive yet vary letter size greatly; they use fonts which make the number 1 and the letter l identical; and they smash things together making, for example "m" and "n n" identical.
Implementers also suck royally. Sites often require a long list of information be typed, including redundant passwords. Then they lose ALL that information when you get the CAPTCHA wrong. Some get caching all screwed up. It's a mess.
CAPTCHAs today are so much worse than "speed bumps" for regular users, that I'm beginning to wonder whether I, myself, am a bot. The internet is becoming unusable to me.
Re:8==C=A=P=T=C=H=A==D (Score:4, Insightful)
Re:So what next? (Score:3, Insightful)
Making people pay for posts. Making people pay for email. That will stop spam dead in its tracks.
No it won't, and once we introduce it we'll be stuck with it.
Now, I didn't say you'd LIKE what 's next...
You're right, I don't like the idea of killing off the Internet as we know it over a misguided attempt to stop something that can only be limited, not stopped. Sometimes the cure is much much worse than the disease and in that case the cure should be rejected.
Re:question and answer seem to work well (Score:4, Insightful)
...until AI gets smart enough to answer questions intuitively.
It's REALLY HARD to automatically generate random questions that an average human can answer easily, but that current AI technology can't answer just as easily. Of course you can come up with questions yourself, and compile a list of them, but if you've only got a list of a hundred questions, then all the spammer has to do is figure out the answers to your hundred questions, and then he has free reign to do whatever he wants. Or, come up with the answer to ONE of them, and he has free reign to do whatever he wants at 1% the speed he could otherwise, which is still a hell of a lot of spam.
If you don't believe me, you try writing software that will generate random questions. Here's my stab at it [webwizardry.net], which would barely slow a spammer down.
What about the economic argument? (Score:4, Insightful)
Most posts on this topic have been along the lines of, "Maybe CAPTCHAs as they are implement now don't work, but here is a method that is trivial for people but hard for computers."
TFA's best argument, in my opinion, was that it is trivially inexpensive for a spammer to simply hire people to break CAPTCHAs. So, a method that doesn't annoy people but is hard for computers still won't work because the spammer will just use people. This is not a topic I know a lot about (not being a spammer I don't know what kind of revenue they generate) but would like to hear a response to this. Is the TFA off its gourd and better technology really will solve this problem? Or is gate-keeping for free services essentially pointless?
there's another woosh over your head (Score:4, Insightful)
Greylisting only works because many sites don't use it; if everybody used it, it would stop working.
The economics of CAPTCHAs are even less favorable, since the cost of breaking a CAPTCHA is small compared to the cost of what the bot actually does after it has broken it.
Re:8==C=A=P=T=C=H=A==D (Score:2, Insightful)
Would it really be that hard to have a picture of a rabbit and set it to accept bunny or rabit or even hare?
When you spell it "rabit", it is.
(Repost) A Few Common Captcha Fallacies (Score:5, Insightful)
Everyone has a great idea for a CAPTCHA, but very few people know what the hell is really going on. Remember that the machine doesn't need to solve the CAPTCHA every time, that machines are infinitely patient and have huge memories, and that another machine needs to make sure the human gave the right answer!
Ideas that won't work:
Really, it's very easy to think you've come up with a very clever CAPTCHA. When you think that, all you've done is stoked your ego and screwed yourself over. It's the same reason why we don't roll our own cryptography: CAPTCHA-making is a very hard problem, mainly because your problem space must be infinite (to avoid an attacking machine simply memorizing answers), the answers verifiable by a machine, but the problems not solvable by a machine.
How many questions can be checked by machines but not answered by them?
Not many; fewer every day. There are no questions that can't be answered by a computer (and which can be answered by a human mind). The Church-Turing thesis [wikipedia.org] [wikipedia.org] has some validity: the human mind is no more powerful than a turing machine, and ultimately, computers and our brains are equivalently computationally. There's nothing a computer can't solve: there are just things we haven't figured out yet.
Re:So what next? (Score:3, Insightful)
No, the legitimate user can't always try again.
Sometimes, the captchas are ALWAYS unsolvable, like one site that uses complimentary colours of the same intensity. That works well unless you can't read text on a complimentary colour background, in which case you're always fscked. I am one of those.
Or don't forget blind people.
Or, in the case of "intelligence" captchas, people from other cultures. One particularly obnoxious site I went to had all questions about rap music and American sports. Neither of which I will be able to "solve" even if given unlimited tries.
And there's a limit to how much a user can try before giving up too.
Think of the captcha as a store dore, requiring you to touch a button above the door frame before it'll let you pass. The idea is that this will stop stray dogs and cats from entering. Is it OK if the store then denies everybody who can't reach, who don't have hands, or who think the whole idea is ridiculous?
This is a classic one-size-fits-most problem. Those who belong to the "most" group will seldom speak up for the minority who does have a problem. Until it bites them, or their family.
Captchas are discriminatory by nature, and I am ashamed that we're willing to use them.
Re:It's a Turing test (Score:5, Insightful)
A CAPTCHA is not a Turing test. A Turing test requires that a person tell a computer and a human apart; the CAPTCHA problem is harder, from a certain point of view, because a computer is required to tell a human and a computer apart.
Re:That wooshing sound.... (Score:4, Insightful)
Almost nobody takes the time to make a spam-bot.
Some 90% brain-dead excuse for human life takes something off the shelf and points it at whatever software you're running. Unless you're one of the most visited sites on the net, a minor modification to the code, and a manually integrated captcha is going to stop practically everybody from spamming your site.
Re:So what next? (Score:3, Insightful)
In other words, the one size gets better as it approaches the limit of how many it fits; don't let the good be the enemy of the perfect!
Re:That wooshing sound.... (Score:3, Insightful)
Errm... on small scale CAPTCHA's work brilliantly. For instance, if you've ever installed and administrated a PHPbb forum, the CAPTCHA that comes with has been broken to hell such that as soon as your site is indexed, it's going to be spammed. Adding retardedly simple changes to the CAPTCHA will immediately stop all the spamming until someone specifically re-writes the bot for your site, which is doubtful in most cases.
I didn't specifically do this, but you could change the code to say "Add these 2 numbers together, if you can't add then GTFO my forums." I'm sure you can think of a million minor tweaks you could make to the CAPTCHA or randomised text indicating how or in what sequence the user should enter the CAPTCHA.
So I mean, yes... in most cases a small speed bump is all that's needed. If someone is specifically writing bots for your site on a large scale, the OP makes a little more sense and you'll need to keep ahead of the bots. I'm doubtful that there is a full proof solution in this case aside from some credit card or ID verification.
Re:8==C=A=P=T=C=H=A==D (Score:3, Insightful)
While that may be effective for the moment, as soon as a webmail provider starts using it, it'll be cracked overnight.
Re:My solution is simple & elegant: (Score:5, Insightful)
Limit the email the account can send, and you reduce the desire for the account. Reduce the usefullness of the account, and you reduce the desire to crack the captcha on new account signups, or at least the profitability in doing so.
Doesn't this increase the desire to get more accounts faster?
Animated Captchas (Score:3, Insightful)
Sometimes, the captchas are ALWAYS unsolvable, like one site that uses complimentary colours of the same intensity. That works well unless you can't read text on a complimentary colour background, in which case you're always fscked. I am one of those.
Sounds like an animated captcha could be an alternative approach, since here you could vary the intensity over time. Of course the animated captcha should only be server generated series of bitmaps or vectors, and not be client generated (Flash would fail), for obvious reasons.
Re:So what next? (Score:3, Insightful)
And that's only because your podcast website doesn't present a large enough target to warrant changing the bots' heuristics to spam it.
The "pay someone to answer" solution to captcha works just fine for breaking your site, too. It's just not worth it (yet?).
Of course, that's the same solution many have for spam: by diversifying the operating system landscape among desktops (not a monoculture of Windows), we break down the value of targeting any particular vulnerability. It's alleged that the only reason that Linux doesn't have viruses is that there aren't enough users out there to warrant making one, and, whether you buy that or not, it definitely holds true for limiting spam on the web: everyone latching on to the same phpbb captcha interface is going to end up with a monoculture of bulletin boards to hack. By having everyone make minor modifications to it, you render yourself effectively immune: even though each one is trivial to hack by itself, each one requires its own unique hack, decreasing its value.
If you use your "movie character" question, and a few dozen other sites use similar questions (with different characters), that's great. But it's about as effective as using "Type 'Bob' here:" and someone else using "'Bob' is what goes here:" and yet another site using "'Bob' is not the answer we want. 'Sue' is." It's also just as trivial to change once the spammers pay attention and modify their scripts to deal with your impertinence.
Recipient-pays messaging is the problem (Score:3, Insightful)
It's worse than that. Any free or recipient-pays message system is subject to exactly the same amount of abuse. When sending a message costs nothing, the marginal cost of advertising is zero. As long as the marginal gain is non-zero, however small, volume will go to infinity. You can filter and legislate to reduce the volume of this advertising, but you'll never actually eliminate it. These countermeasures just bring the marginal cost of email up to slightly above zero --- but not nearly high enough to discourage spam.
Email isn't special. SMTP is fine. There was fax-machine spam long before even Compuserve. Today, we see text message spam, Facebook spam, MySpace spam, and so on. Email itself isn't the problem. Changing what you call the system doesn't change how it works. It's recipient-pays messaging that's the problem.
Sure, sender-pay systems like the postal service see some volume of advertising, but the volume is kept down by the relatively high marginal cost. Ultimately, I don't see a way of reconciling free anonymous messaging with a spam-free inbox.
Re:So what next? (Score:3, Insightful)
Obvous plan to rid world of spam (Score:3, Insightful)
Re:Not really (Score:3, Insightful)
If the computer was so compromised that the spambot was able to log-in to secure websites (which any site that used a pay-to-post system would need to be) as if it was the legitimate operator of the computer, it makes sense to charge the operator of the computer. This will also, very quickly, encourage adoption of good security practices, as when the improper activity is (a) visible to the owner of the computer, and (b) has a direct financial cost to the owner of the computer, it won't continue without some kind of effective response. Spam bots operate on people's computers because they can do so without the owner of the computer ever realizing it. If every piece of spam sent out resulted in an immediate financial transaction for which the owner of the computer was responsible, you can bet that that owner would (a) notice, and (b) do whatever was necessary to stop the spam.
Re:Stuck in the old ways (Score:3, Insightful)
So, essentially, this works as long as its not a common technique, but as soon as it becomes common enough to matter to the overall volume of forum spam in the world, there is a trivial way for spammers to adapt to it and defeat it.
UN solution (Score:3, Insightful)
It is a bog problem and requires a big solution.
Our leaders shall overcome their cultural shock, phase out activities in local organizations, like EU, NATO, CIS, etc., and begin to work in a global setup, the UN, the WTU - world telecommunication union, Interpol, UNICEF, etc.
What is the point of fighting spam in, say, the USA, if it will continue to pour in from, say, Indonesia?