Re: [gentoo-project] Spam reduction proposal - switching lists to a web-form for subscription

["Robin H. Johnson" <robbat2@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 2705 bytes --]

On Thu, May 28, 2009 at 12:20:35AM +0200, Marijn Schouten (hkBst) wrote:
> The reCAPTCHA page mentions[1] that simple text recognition (with minimal
> distortion) is easy to do with computer programs.
I think you misread part of that page.
The sentence in question is (added emphasis mine):
"For example, the CAPTCHAs ***shown below*** can all be broken using image
processing techniques, mainly because they use a consistent font."
(and there is an image comprised of several past generations of
captcha).  

reCAPTCHA breakage rates remain lower than other captcha variants, since
the source material is not generated, comes from old books.

Nowhere did I claim that captchas could not be defeated.
- Web-service to do it for you:
  http://www.captchakiller.com/
- How 4chan did it (in the end, actually attacking the methodology of
  reCAPTCHA - any word submitted consistently for the same testcase
  wins, regardless of actually matching): 
  http://musicmachinery.com/2009/04/27/moot-wins-time-inc-loses/
- From DEFCON 2008:
  http://captchatalk.com/

Then there are all the folk that realize you can outsource the problem
to humans in third world countries cheaper or on porn sides than the
processing time required to attack via OCR.

> Given that the calculus-captcha are non-distorted LaTeX'ed formulas we
> should therefore probably assume that computers can read those
> formulas. They only seem to have very few kinds of questions (zeros of
> small polynomials, differentiation of some trigonometric functions
> (only cos and sin), arithmetic), all of which are extremely simple
> especially for a program[1]. If this CAPTCHA becomes widespread
> someone WILL break it.
I gave the calculus captcha as a joke, and I'm surprised nobody called
me on it. The level of human required to correctly answer some of the
actual calculus questions is beyond a lot of our user-base (no offense
to them, but they just haven't covered that in formal or informal
education).

The captcha just needs to be passably good enough to protect a single
text field of the email address to subscribe.

The only other complaint of value in this thread thus-far was Dale
noting that he's one of the users that would need the audio variant, but
doesn't have enough bandwidth (stuck on very slow dialup) to stream it.
To address that then, as it's only going to be a small percentage, I'm
going to have a message at the bottom of the page, telling that subset
of users to just email me as the list postmaster.

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 330 bytes --]