From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 307B41382C5 for ; Sun, 24 May 2020 13:05:44 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C7C37E091C; Sun, 24 May 2020 13:05:40 +0000 (UTC) Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 461F1E08E5 for ; Sun, 24 May 2020 13:05:39 +0000 (UTC) Received: (qmail 30716 invoked by uid 1000); 24 May 2020 13:05:35 -0000 Message-ID: <20200524130535.30715.qmail@stuge.se> Date: Sun, 24 May 2020 13:05:35 +0000 From: Peter Stuge To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] [RFC] Anti-spam for goose References: <496f9d713dc1d890d8af717c77429faac20912e1.camel@gentoo.org> <20200522221311.8200.qmail@stuge.se> <20200523214927.1dc7f35e@katipo2.lan> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200523214927.1dc7f35e@katipo2.lan> X-Archives-Salt: 0174235e-c944-444b-94c8-24c4161113a4 X-Archives-Hash: ba1169dd8aaf0767f975e85baa9b80f6 Kent Fredric wrote: > > While services such as reCAPTCHA are (as said) massively intrusive, there > > are other, much less intrusive and even terminal-compatible ways to construct > > a CAPTCHA. Hello game developers, you have 80x23 "pixels" to render a puzzle > > for a human above the response input line - that's not so bad. > > Well, they kinda have to be, I disagree with that, especially for this service, that was the point I wanted to make. :) > the state of AI is increasing so much that current captcha systems > undoubtedly also develop their own adversarial AI to try beat their > own captcha. > > I don't think we have the sort of power to develop this. In any case I don't think that's required. > And the inherently low entropy of only having 80x23 with so few > (compared to full RGB) bits per pixel, A character doesn't compare too bad to RGB. See aalib, or if you will risk exclusion of color-vision-impaired humans libcaca. > this gives any would-be AI a substantial leg up. > > Using text distortion is amateur hour these days. > > (and there's always mechanical-turk anyway) Except this isn't for some web-scale disruptive startup, it's a statistics/reputation system for an advanced, super-nerdy Linux distribution. Please think more about the threat model, and remember the rate limit knob. The bar only needs to be raised high enough. //Peter