(crossposted to the Geeks list; if we continue this thread, we should
probably continue it there)
On Oct 27, 2007, at 4:10 PM, Edward Lorden wrote:
A website for which I am responsible has had similar attacks.
While investigating CAPTCHA alternatives, I found several articles
on the drawbacks of the technology. While it can help with some
spambot attacks, there are others that will be able to crack many
of these methods without too much trouble. One of the most
insidious is called the Man in the Middle scenario. In this
scenario, the attacker has set up a free porn website and uses your
CAPTCHA image as part of the sign up criteria. In this way, a
human being provides the solution in the CAPTCHA puzzle which is
then used to gain access to your site. I provide this information
more as a warning than anything else. I’ve gone ahead and
implemented a CAPTCHA puzzle but have continued to look for other
ways to verify that it is a human that is actually accessing the
site. If you wish, I can provide more details as they become
available.
I am well aware of the deficiencies of CAPTCHAs. I have seen
references to the mechanical turk approach to defeating CAPTCHAs,
though that approach greatly increases the cost of defeating a
CAPTCHA (bandwidth, advertising costs to get users to the site, etc).
I have not seen any widespread abuse of CAPTCHA systems using that
method, however; there are much easier ways of getting around such
systems.
Much easier is to simply hire a human to post spam to blogs and
wikis. That is what many of those spams you see about "make money by
just surfing the internet" are all about; they do actually pay people
(very small amounts) to post wiki and blog spam. There will never be
any sort of automated system to detect these users (unless some sort
of realtime blacklist system is set up that is run by trustworthy
administrators), so if that becomes a problem, we'll have to take new
approaches.
My approach to securing the wiki against vandalism and spam is to
make it as lenient as possibly while preventing any large-scale
abuses that are far beyond what we can reasonably handle by manually
reverting and blocking users. A manual revert once a month isn't all
that bad; several per day is just too frustrating to deal with, and
will bring the productivity of people who work on the wiki way down.
So far, we've only seen vandalbot attacks, as far as I can tell, so
blocking those with a CAPTCHA should be sufficient. If we start
seeing human attacks, we may need to block URL posting for untrusted
users, or require admin approval before people can edit, or possibly
only allow certain keywords to be input by untrusted users; it all
depends on what we see.