Comments on: CAPTCHA – eeeewwwww

By: Barney

Barney — Thu, 17 Aug 2006 21:37:17 +0000

CAPTCHA is designed to prevent computers from doing what you only want humans to do. Whether it's logging into a bank, registering a domain, or posting a blog comment, the goal is the same.

But you make exactly my point. Security needs to be more difficult to crack than the benefits of cracking it, but at the same time, it needs to be as transparent as possible. Hence I use biometrics and two separate computer controlled keys to get in my datacenter, but I use stupid JS obfuscation to keep blog spammers out. Both are secure enough, and both are minimally intrusive.

By: Tuggle

Tuggle — Thu, 17 Aug 2006 21:15:21 +0000

I am certainly up for correction on this, but I thought CAPTCHA was primarily developed for stopping automated signups on high traffic sites or hacking/DoS style attack. When did "the average Joe" starting thinking they should apply it to their blog comments? Comments spam bots are looking to hit the web in mass droves. So even having a field that says "Type the word 'happy' in the box" would stop a bot because they're not going to write a custom submission just for your blog. Any question would work "What color is the sky?", etc. So aside from the cool factor which wears off in about 7 minutes, I think CAPTCHA is like killing an ant with a nuke.

By: Ben Nadel

Ben Nadel — Mon, 07 Aug 2006 16:25:29 +0000

Sami Hoda, I would definately be interested in a math captcha. I am currently using a math de-spamming method on my site and it is working quite nicely. I do, however, have to get a bit complicated when obfuscating the display of the math. Check it out at http://bennadel.com/index.cfm?dax=blog:197.view

By: Barney

Barney — Fri, 28 Jul 2006 20:49:23 +0000

Charlie, Another alternative that I considered (but didn't end up having to implement), is a session-based check to ensure the submission matches a form that's been rendered by the app. You could even do it without a session and just use form/URL variables, if you wanted. The trick is to make the computer have to jump through hoops to do what it wants. As soon as navigating the hoops isn't worth the benefits, you've won. A link on my blog comments that I'm going to delete anyway isn't worth much, so people don't try very hard.

By: Barney

Barney — Fri, 28 Jul 2006 20:41:25 +0000

Peter, I know all about spambots hosing my blog. Initially, I had few problems, but there was a point when I was getting several thousand per day on a regular basis. Some of the simple obfuscation tricks (like renaming mt-comments.cgi) produced results like Matt's: it stopped the spam for a few hours. However, doing JS-based rewrite seems to have almost completely cured it. Check the source for how it works. Wouldn't be hard to defeat, but like everything else in the world of security, it only has to be more difficult than it's worth. The handful that don't get foiled are mostly handled by content filters (which, I might add have yet to kill a legit comment), and the occasional one that slips through both is immediately manually deleted and used to improve the content filter. I'll certainly agree that registering for a site (particularly if it requires email-based positive confirmation) is far worse than a CAPTCHA check. I can see the utility for "important" stuff (like PayPal), but for blog comments on most blogs, the benefits of computer posting aren't sufficient to endeavor to overcome simple, user-transparent security measures, which makes those measures equally effective.

By: charlie griefer

charlie griefer — Fri, 28 Jul 2006 17:54:39 +0000

I just signed up for a forum today, and at the bottom there were two radio buttons. the one that was checked by default said something along the lines of "i am a bot and won't know enough to click the other radio button", and the 2nd (unchecked) button had text that read, "I'm a human. Let me in". I'll admit, I thought that was a better alternative than trying to figure out some CAPTCHAs that I've seen. Altho I don't profess to know how successful something like that is vs. a CAPTCHA system's success rate.

By: Sami Hoda

Sami Hoda — Fri, 28 Jul 2006 17:50:15 +0000

What do you guys think of Math Captcha's? Like the one on Kurt Wiersma's blog?

By: Peter J. Farrell

Peter J. Farrell — Fri, 28 Jul 2006 15:48:06 +0000

Barney,

While you may not like Captcha – the technology is here to stay until there is an international identification / authentication system in place. According to the research, Captchas are usually only solvable about 80% of the time for humans. Sometimes you have to guess and computer just don't guess well.

This is because OCR technology has gotten pretty good. For example, the Captcha on the PayPal signup page is 100% defeatable with consumer grade OCR software. Many people have already defeated it.

I think spammers are just not targetting you fully – yet. Matt Woodward did similar stuff like you have done to combat spam. After a while, the spammer were adapting to changes after just a few minutes.

Lastly, I'll take a Captcha over having to create an account on somebody's blog to make comment any day! I'll fill in a Captcha, but I won't create an account.