[Pmwiki-users] Hashcash ... an interesting idea for preventingspan
Neil Herber
nospam
Fri Dec 3 22:12:25 CST 2004
At 2004-12-03 09:09 AM -0500, Russ Fink is rumored to have said:
>Captcha's are a bit harder, because the claim is that given the present
>art of computer science, only humans can discern the letters/numbers
>within the images. I've seen a few of these, and note that many involve
>criss-cross lines and other obvious artifacts. IMHO, it is only a matter
>of time before computational geometry and image recognition are able to
>overcome these limitations. When they do, there is still computational
>cost associated with it, and thus protection from captchas reduces to the
>same effect as hashcash.
My understanding is that hashcash places a computational burden on the user
in an attempt to reduce the rate at which the user can perform edits (or
distribute spam). The suggestion posted elsewhere in this thread that
PmWiki could just pause for a while before posting the edit moves the
burden to the server, and would probably not prevent a user from having
several edits going in parallel.
One of the control mechanisms employed by PHPBB is a "Flood Interval",
which is the number of seconds a user must wait between posts. I am not
sure if this is enforced by login name (because you can post anonymously,
if allowed) or by IP. Presumably PmWiki could do the same if it has a way
of preserving persistent data about IPs and posting times. I am not sure if
this would penalize multiple users behind a proxy or NAT box, because their
IPs would be the same.
PHPBB also uses captchas during registration to prevent bot signup, but it
turns out that there are many ways that captchas can be defeated. One
involves "free porn" sites which require victims to register. The
registration process actually serves the captcha image and input field
proxied from the a targetted site to the victim, who fills it in. The
victim gets no porn, and the rogue site has a valid registration on the
target site. For more on this and other captcha defeats, see:
http://boingboing.net/2004/01/27/solving_and_creating.html
http://www.captcha.net/
It also appears that some captchas (gimpy) can now be machine recognized 92
percent of the time, and are thus useless.
http://www.cs.berkeley.edu/~mori/gimpy/gimpy.html
One property of these distorted-word captchas is that they effectively lock
out visually impaired users, but there are also aural captchas - distorted
sounds you must identify.
Readers who have slogged through all of this may be tempted to ask:"What is
the point?" My point is that the human-based solutions (monitoring RSS,
link approval, etc.) are probably the best thing to do if you want to have
a Wiki open to the world. If you have a less open Wiki, require
registration or put it behind HTTP Basic Authentication.
Neil
Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668
More information about the pmwiki-users
mailing list