Mailing List Archive

   tlug.jp -> Mailing List -> tlug archive -> tlug Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] CAPTCHA on keitai

On 2008-03-23 04:49 +0900 (Sun), Stephen J. Turnbull wrote:

> Curt Sampson writes:
> 
>  > Indeed, very true. To restate my point, given that they certainly have
>  > the capability to write software that will get around your particular
>  > form of protection, what makes you belive that they will take even a
>  > minimal amount of effort to do this for your site rather than just aim
>  > their automated systems at plenty of other sites out there that use more
>  > standard systems?
> 
> (1) As (dark-side) hackers, they take pride in their dirty deeds done
> dirt cheap.  They'll do this for hate, not money.

Do you have any evidence for this point? Let me present some to the
contrary. According to Jeff Attwood:

    The comment form of my blog is protected by what I refer to as
    "naive CAPTCHA", where the CAPTCHA term is the same every single
    time. This has to be the most ineffective CAPTCHA of all time, and
    yet it stops 99.9% of comment spam.

    http://www.codinghorror.com/blog/archives/000712.html

As another anecdote, ever since I switched the software on the
keitai-dev wiki from Meatball Wiki to something much less common, my
previously enormous spam problems have gone away. I have no captcha (or
any other attempt to prevent spam) in place at all.

> (2) My main point is that it's unlikely that the standard is all that
> standard that deviating from it in a "significant" way is all that
> easy.  Remember our side is fairly constrained in how we can hide
> stuff, because our users have to be able to see it.

Not at all. For example, you can freely change the names of your form
input fields to anything you like; your users never see those (except
perhaps in the URL of a GET request). That one change alone may well
stop a program, if few enough other people are doing it that they've
not bothered to try and work out some automated way of dealing with new
field names.

>  > Well, if the spam problem is any indication, you're not likely to get one.
> 
> The spam problem is harder because neither postage nor authentication
> is acceptable to most spam-fighters.
> 
> I think either audio: "Type D O G B E R T in the box", or Josh's "what
> is this image a picture of: cat dog car rabbit spammer-in-a-blender??" 
> are big (fairly) cheap wins.

They're not; they've all been beaten. If the common spam-sending
programs are not defeating them, it's merely because they're not widely
enough used to make it worthwhile.

cjs
-- 
Curt Sampson       <cjs@example.com>        +81 90 7737 2974   
Mobile sites and software consulting: http://www.starling-software.com
Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links