Why the CAPTCHA Approach Is Doomed 522
TechnoBabble Pro writes "The CAPTCHA idea sounds simple: prevent bots from massively abusing a website (e.g. to get many email or social network accounts, and send spam), by giving users a test which is easy for humans, but impossible for computers. Is there really such a thing as a well-balanced CAPTCHA, easy on human eyes, but tough on bots? TechnoBabble Pro has a piece on 3 CAPTCHA gotchas which show why any puzzle which isn't a nuisance to legitimate users, won't be much hindrance to abusers, either. It looks like we need a different approach to stop the bots."
After three tries (Score:3, Interesting)
block the I address for 10 minutes, then an hour then a day.
Re:8==C=A=P=T=C=H=A==D (Score:5, Interesting)
This troll actually gave me an idea. Why not ascii art?
Give an ascii art picture and asc the user to tell what it is.
In this case cock would let you through.
Re:What about ... (Score:3, Interesting)
Example: Picture of cat.
Question 1: Does this fly?
Question 2: Is this living?
Question 3: Would a human be able to pick this up?, etc.
Re:So what next? (Score:5, Interesting)
Spam-filters analogous to those applied to email seem to be increasingly used as plugins to various blog engines.
One captcha I've seen... (Score:3, Interesting)
has a different take on the subject. Rather than trying to obscure the image with lines or similar measures, it uses a series of letters, some of which are a color. You are then asked to type in the colored letters to proceed.
I don't know if these are static images or generated each time but the owner claims his site has almost no spammers (i.e. people have to do it, not machines).
Re:So what next? (Score:5, Interesting)
Now, I didn't say you'd LIKE what 's next...
RS
Limit services based on effort expended (Score:4, Interesting)
The more effort someone is willing to put out to prove they are human or are backed by a human willing to be responsible for problems, the more abuse-able services you give them.
For example, e-mail service providers could offer several tiers:
Simple signup/new accounts:
Limited number and size of incoming and outgoing messages.
Verified signup/driver's license with confirmation by paper mail:
Nearly-full, with shutoff or limitations imposed at first sign of abuse.
Verified signup/credit card with confirmation:
Nearly-full, with shutoff or limitations imposed at first sign of abuse.
Established account, with a pattern of usage indicative of a human over a period of several weeks:
Nearly-full, with shutoff or limitations imposed at first sign of abuse.
Credentialed user, backed by a substantial bond or deposit and an explanation of why suspicious behavior really is legitimate:
Full access plus a free pass on "legitimate" suspicious behavior until someone complains, but if it's abused then throttle him and take the costs out of his deposit.
Re:That wooshing sound.... (Score:5, Interesting)
They may be trivial to bypass (for some definition of 'trivial'), buy many applications only need a tiny speed-bump to make a huge difference in undesirable traffic.
Plus, if you're using ReCaptcha [recaptcha.net], you're making the spammers do a little bit of good for the world. If they can develop software that reliably cracks ReCaptcha, then they've solved a lot tougher problem than just pushing v1@g@r@.
What about intellect/language? (Score:1, Interesting)
There is a different way to manage obscurity/captchas: simply generate strangely worded questions with obvious answers.
Maybe I've missed something, but wouldn't a bot have significant trouble coming up with the answer to a question like:
What does a person see with? (plural)
Not that anyone would be able to get past the 'who was the n-th president of the U.S' approach.
Re:One captcha I've seen... (Score:5, Interesting)
This is also not very difficult to break. Assuming that the letters and numbers aren't obfuscated the same way CAPTCHA images are (if they are then this is just another CAPTCHA), a bot would be able to parse the characters out of the image. It could then classify the characters into groups of colors, pick one group randomly, and guess. There couldn't be more than four or five colors in the image since asking to differentiate between aqua/navy/royal/pale blue is unreasonable for a human (but interestingly enough, not difficult for a computer). That would give you a bot with a ~20-25% accuracy rate.
Beyond that, you could parse the question as well, looking for the words red, blue, green, black, etc. and classify ranges of hex colors into associated color names. That would greatly increase success rate of guesses.
This is not a reliable CAPTCHA replacement and in fact seems not very difficult to break.
Re:So what next? (Score:5, Interesting)
Charge a fee. It doesn't have to be money. It could be cycles.
Have the client hash the message append some random characters to the end of the message. Have it change vary the characters until the hash matches some pre-defined pattern before sending. Cheap to verify on the incoming machine (just one hash), arbitrarily expensive on the sending machine. Your requirement can be for a certain number of characters or a specific sequence of bits, all the way up to the bitlength of the hash.
It doesn't answer the question of "is the sender a human" but it does answer the question of "how much is this message worth to the sender." The beauty of it is that that is sufficient.
If the spammer is using a dedicated server, you can limit the amount of spam they can send arbitrarily. Imagine how profitable a spam server would be if it cost $3k to send 86,400 messages per day? If the spammer is using a botnet, that scales a little better for them, but since it chews up cycles, it's going to make their operation noticeable to users.
There are probably better ways even than that, and someone will eventually find one that is more deterministic (it's unlikely, but there's a chance that someone could just be unlucky enough to never be able to chance on the right sequence using a psuedorandom perturbation approach)
I didn't think of this though, so there might be some patents. Google for message digest spam control or something like that to see some papers.
Re:So what next? (Score:3, Interesting)
Why is this bullshit non-solution always brought up by some greed-monkeys who salivate at the idea of charging billions in "micro-payments" ... oh wait.
I will make it as simple as possible to you: pay-to-play-posting + bot-net = spam unabated + billions in charges to hapless consumers. And no, securing PCs air-tight is not a practical solution in a situation where average user will never attain sufficient know-how to defend himself/herself against a determined, resourceful and very knowledgeable attacker. The pros have hard time defending themselves, never you mind the grandma. You are more likely to succeed getting rid of bot-nets by banning all personal computers in the possession of amateurs or the Internet wholesale ...
But then again, stopping spam was never the objective in these "proposals", raking-in extortion fees from everyone though was the goal all along. Little surprise then that the chief promoters of all the pay-per-email, post, web-page etc schemes are the likes of ... Bill Gates. Go figure.
I really like the concept behind Re-Captcha (Score:3, Interesting)
I watched an amazing mini-documentary about Re-Captcha and really like the concept and the end goal. Basically Re-Captcha uses two words, one known word and one of the words is unknown and comes from book digitization efforts. The known word gets you into the site for whatever you are doing, the unknown one comes from a literary work that OCR couldn't figure out. After a large sampling of people have typed the unknown word the majority answer becomes the text entered in the digitization effort.
My contention is that people like myself who think it is a great cause would happily spend some free/bored time just entering the unknown words on a website without the whole captcha bit. If anyone here is a part or knows anyone on the team please bring this idea up.
Here's what I use... (Score:3, Interesting)
When the PHPBB2 CAPTCHA became completely useless and I was seeing hundreds of bot registrations on a forum I ran, I built something else. I added a simple extra text field to the registration form. I ask a plain English question, giving away the answer, and require the user to write it in the blank.
i.e. What is the common name for a domesticated feline? (Starts with "c" and ends with "at" This is an anti-spam measure)
The field is checked for the right answer on the post-processing. This stopped 100% of the fake registrations. I ended up doing this on practically every web-accessible form I have built since then, and I've seen the method pop up on other people's websites as well (certainly parallel evolution rather than "they got it from me").
Re:So what next? (Score:3, Interesting)
Which does not change the dynamics one bit. The bot net operators will simply direct their bots to steal the pay-to-play site passwords that the victims go to and the game is over. Worse, because now you no longer guard against spammers for these pay-to-play accounts, you've now made it significantly easier to exploit the sites themselves by use of thousands of stolen logins. So back to CAPTCHA ... and pay-to-play?!
The whole thing is pointless and the only side-effect is that now people get to charge for no improvement at all. But then again, that was the point all along.
Where the heck does this utterly naive and completely silly assumption that the bot operators will sign up using their credit cards comes from?! They will wait until millions of doofuses sign up, with their individual credit cards, PayPal accounts and what-not, and then use the bot-infected PC's belonging to the hapless victims to log in and spam away. No change in spam volume but a major change in economics for the PC users. Now they are not only charged for things that used to be free, but also get to be charged for the privilege of being spam vectors, particularly (which is always somewhere in these "proposals") when per-post or per-message "micropayments" get involved. And again, the scammers proposing these "solutions" are quite aware of this, after all that is the point of the whole pay-to-play and "micropayment" scams, the increase of revenue for no extra service.
Again, you comprehend nothing. The millions of infected PCs are all over the world, and mostly in places that have a lot of PCs ... i.e. the USA. So you've gained nothing again. You keep forgetting that spammers are criminals, and criminals never use their own stuff!!! They use their victim's equipment, credit cards and PCs.
See above. You've "solved" nothing whatsoever, other then to create revenue stream where none existed before, which again is why these kinds of "anti spam" proposals are so loved by the likes of Gates.
Re:So what next? (Score:3, Interesting)
All except the money solution seem to rely on being able to pin an identity to a particular user (or bot). For example, GMail's rate limiting assumes that each bot has exactly one GMail address.
It falls apart when the bot registers a few hundred thousand GMail addresses.
What prevents bots from doing that now? CAPTCHAS.
I agree with the article that CAPTCHA is doomed and that other approaches are needed. I don't agree that either of those solutions work, by themselves.
Re:So what next? (Score:3, Interesting)
They will wait until millions of doofuses sign up, with their individual credit cards, PayPal accounts and what-not, and then use the bot-infected PC's belonging to the hapless victims to log in and spam away.
You need to stop spam from reaching the users. If they don't see it, they aren't bothered by it.
I've said it before- Email Certification.
Want to run a Certified Email server? Go to your ISP (or other such companies that may arise to offer the service). They check you out (Are you who you say you are? Do you have valid contact information? Etc...), then have you produce a Public/Private key pair. You give them the 'Public' key, and keep the 'Private' one to configure your email server with. Your email server must add an additional header with your Certifier's Certification Server (usually their email server), and a header that is encrypted with your Private key.
An email client that is Certification-compatible will, when it receives an email, look to see if it has those two headers. If not, it will handle it according to the user's wishes. This means NON-Certified email might be deleted, or sent to a different folder, or whatever. Whitelists/blacklists are still possible.
If the email has the headers, the email client will connect to the Certification Server listed in the one header, and download the 'Public' key to attempt to decrypt the other header. If the decrypted header is valid, the client treats the email the way it is configured to, usually by placing it in the Inbox. Again, whitelists and blacklists can still be used.
Here's the most important part: If the user receives Spam that is Certified, they can easily report it to the Certifier (email clients would have a 'Report Certified Spam' button that automatically shoots an email off to the Certifier, for instance). The Certifier can then contact the owner of the Certified Server and notify them of the spam. This gives the server owner a chance to stop the spam, in case the server was hacked or the spam was accidental. If the Server owner does not stop the spam, the Certifier simply pulls the Certification, by removing the 'Public' key on their server. From that moment forward, ALL email the Email server in question sends will be NON-certified (and quite frankly, probably deleted by the recipients).
If the Certifier refuses to do anything about the Spamming Server (because they are 'in on it', friendly to spammers, or just incompetent), then ALL Certifications from that Certifier can be marked as 'bad', either on a client-by-client basis, or thru the use of a Certifier black-list.
-There is no 'Central Authority'- your ISP Certifies you for a modest fee.
-You can still send non-certified email, so hobby mailing lists and the like are not affected- the people who receive the mailing list might just need to whitelist it.
-Legit email will (eventually, almost always) be Certified, so Certified emails can be sent straight to the Inbox. Non-certified email will (eventually, almost always) be spam, so it can be trashed.
-Any spam that is sent from a Certified server will quickly be reported by pissed-off recipients, and quick action will be needed to avoid that Certifier (and ALL the servers it has certified) from being put on a blacklist.
-Spam will dwindle as Spammers either move to 'spam-friendly' Certifiers (which are blacklisted so the spam never gets thru anyway), or will spend huge amounts of money switching ISPs every 2-3 days to get re-certified over and over. Of course, ISPs could take a clue from the Las Vegas Casinos, and keep a 'black book' of known spammers, and check new clients against them before Certifying them.
-This system does not need to be adopted all at once. Certified and non-certified emails can be handled both by email clients that are Certification aware and not.
It may not be perfect, but it'd be a good start.
Re:That wooshing sound.... (Score:3, Interesting)
It only works for us small-fry. If we got any serious amount of traffic, we'd be worth 'cracking'.
Re:So what next? (Score:3, Interesting)
Nonsense. No amount of incentive will get Grandma to start running (and understanding the output of) packet sniffers, traffic analyzers and the like. This has nothing whatsoever to do with "locking down" computers as automated countermeasures are only very superficially effective against a very adaptable enemy.
Grandma doesn't need to do packet sniffing, traffic analysis and the like. She simply needs to alter her behaviour slightly. To maintain your machine(s) free of malware you simply need to be careful, maintain your anti-virus etc and be alert for odd changes in your machine.
Again, since you do not run frequent, in-depth manual checks on your system, you do not even know if you are not already owned by a deep seated root-kit. Everything you described is insufficient do defend, or to even detect such an attack. Also you already perform things that average user is not likely to do, even with incentives, as the whole idea of choosing where not to go on the Internet is the anathema of Internet use to them. You might as well kick 80% of people off the Internet by some legislation.
Sorry, but do you actually know how almost all things like root-kits etc are installed on a users machine? Solcial engineering.. It might be cooler to think that someone somewhere is attacking your machine directly and you can't prevent it, but mostly it's tricking someone into installing some software that is lying to you.
It is relatively rare that something is automatically installed on your machine via a zero day exploit, mostly it's down to someone click yes when they shouldn't, or a patch they should have installed a year ago.
No, it is impossible to implement, without some frighteningly radical changes in home computer usage, like for example demanding that no PC is connected to the Internet that is not continuously monitored by a security expert ...
Nope, you don't need at all to demand that a security expert is required 24x7, all you need to do is stop insulating people from their own decisions.
If they don't want to protect themselves, fine, connect through an ISP that is happy to protect them from themselves (and this is possible, just expensive) if you want to take responsibility then just connect to the internet.
If I was able to give my mum a few simple rules and pointers that have managed to keep her virus and trojan free for years I don't understand anyone else having an issue.
You appear to either be totally paranoid about attacks, or a security professional drumming up additional business because (to me at least) you appear to be seriously overstating the issue.
The reason for most modern malware is money, people do this to make money, and most of them feed off the low hanging fruit of the people who do nothing to protect themselves.. If you 'raise' the barrier to entry such that most scams and trojans etc don't even get off the ground, if you fix the social engineering problem, you will kill most, if not all, of the market and no matter how good the zero-day exploit is, if you seriously restrict the bread and butter of the malware industry you'll effectively kill it other than the truely malicious.
A few changes to all ISPs would be good too, things like removing the ability to packet source spoof would be good since it's relatively trivial to ensure the sender IP is correct, and that gets rid of most of the attacks other than bot nets and makes it much easier to clean things up.
Z.