Sunday, January 30, 2005

That didn't take long: CAPTCHA is irrelevant

As soon as I heard dasBlog and other blog engines had implemented CAPTCHA tests on the comment forms, I knew it was only a matter of time before it was shown to be irrelevant. But Casey Chesnut has defeated it even quicker than I thought would happen.

He simply spent a few minutes studying the implementation, figuring out it's limits and patterns, then wrote a bit of AI to decypher the images. His routine only has a success rate of 50%, but thats more than sufficient to perform comment spam. To prove his point, he ran it against over 90 blogs on msmvps.com.

This is the precise reason I never even considered enabling this feature of dasBlog. It is easily circumventable, and really does nothing more than interfere with your real readers' ability to contribute.

This emperor has no clothes.

Hats off to you Casey, this false security needed to be called out.

General

Sunday, January 30, 2005 3:00:15 PM (Eastern Standard Time, UTC-05:00)

Disclaimer | Comments [3] | Related posts:
Excellent Free Sound Effects Resource
A Simple Sound Effects Engine for Silverlight 2
Gem Blaster entered into "RIA Run" contest
Gem Blaster updated and enhanced for Silverlight 2
Awesome tool for Media Center - Lifextender
Atlanta Code Camp 2008

Sunday, January 30, 2005 9:38:52 PM (Eastern Standard Time, UTC-05:00)

This is not necessarily surprising. A few years back I took a Master Degrees in AI (and Robotics) and wrote some Handwriting recognition software (http://dotnetworkaholics.com/csharp/HandwritingRecognition.html).

That said since installing Miguel Jimenez's HIP-CAPTCHA control (http://blogs.clearscreen.com/migs/archive/2004/11/10/575.aspx) myself, only one piece of comment spam has appeared on my blog. Not bad as the blog was sometimes getting five pieces a day before. The made me happy; a blog (that I make no money from) was happily functioning again.

We all know that spammers are simply greedy money hungry bottom feeders. Could they figure out the AI themselves? That is seriously doubtful. Posting information on how to defeat CAPTCHA controls is like posting how to make explosives or pipe bombs. Yes, it gives the poster a minor ego boost in showing how clever he/she is, but harms many, many innocent people.

I guess this is modern life. When someone discovers a simple way to make an A-Bomb or Bio-weapon it will be posted… and I wonder the outcome will be?

At least the guy did not release his code yet, but I am sure the spammers have sent the article + $100 to the Indian/ Eastern European coders they employ who are already working on implementing solutions to make us turn comments off YET AGAIN.

This guy is an MVP? Sheesh. Valuable to who?

Paul Lockwood

Sunday, January 30, 2005 10:42:46 PM (Eastern Standard Time, UTC-05:00)

Why did he post this? Do you feel like a man now? You know, there are probably a million programmers who could have done this, but you're the one who taught the fifty million that can't. Nice going, ace. Congratulations.

Nevermind if it CAN be done, think of whether or not is SHOULD be done.

Good job, though. I respect that he actually did it (even if I do have to find another way to keep the stupid spam bots off my site).

mearls@hotmail.com (Michael Earls)

Sunday, January 30, 2005 10:47:12 PM (Eastern Standard Time, UTC-05:00)

Keith, no one ever thought it was secure. I never thought it would stop comment spam. I did, however, think that it would hold it off a while so I could do something other than delete links to porn and gambling sites. Now, thanks to this genius, I have to start deleting the shite again.

So you never used it because you thought it was stupid? I respect you, man, but that is so over-the-top.

You think that it was "inconvenient" for your readers? What about the sites that don't even have comments? How convenient are they?

This pisses me off.

mearls@hotmail.com (Michael Earls)

Comments are closed.