On Wed, 24 Nov 2004, Kees Cook wrote:
On Wed, Nov 24, 2004 at 06:34:25AM -0600, Bob Jamison wrote:
Maybe instead of text, do what some e-shopping sites do. Have a pass phrase displayed on an image, and let the person type that in. Then the pass cannot be harvested.
If it comes to that, yeah. The problem is that is hinders any visually impaired contributors. craigslist.org added "hear this word" links too. That's more coding, etc, since it requires some added libraries, etc.
I should also note that the state-of-the-art as far as speech recognition and OCR is pretty far along, for these purposes anyway, too.
To give you a sense of where CAPTCHA OCR stood a year ago:
http://www.cs.berkeley.edu/~mori/gimpy/gimpy.html
Also, let's not forget the age-old tactic of hooking the back-end of the spamming tool to a porn site that requests CAPTCHA solutions of its users: free distributed human labor (and probably far more motivated than your own users, too).
My point is that fancy verification mechanisms are an arms race we can't really win, and the fancier or more difficult, the more legitimate users we would hurt.
I think it's more important that our verifier be unique than that it be particularly difficult. If spammers can't exploit economies of scale by utilizing off-the-shelf software, it becomes much less economical for them to spam us in particular.
-mental