[Standards-JIG] bot-challenge proto-JEP

Ian Paterson ian.paterson at clientside.co.uk
Wed Aug 31 17:30:35 UTC 2005


> > Textual 
> > questions if not written by the user (i.e. come from a standard 
> > library of questions) are completely useless as spammers will easily

> > be able to build up a list of questions and answers that their 
> > spamming bots can automatically reply to with the correct answer.

Yes.

> Users and server admins should be smart enough to:
> * not use such lists,
> * be creative and invent their own questions (the number of possibile 
> questions is unlimited),
> * users (privacy lists) will be smart enough to change their 
> question when 
> some spimmer find the answer,
> * admins (in-band registration) will be smart enough to 
> change questions from 
> time to time (especially commercial servers like Google); at 
> least they will 
> be able to replace questions that spimmers know the answer of.

*Server admins* cannot win this battle. The creativity required to write
thousands of questions that every Aunt Tillie can answer requires far
more work than answering them. SPIM bots could have low paid human
assistants who give them answers to all new questions the server admins
come up with. IMHO companies like Google would need to employ 10
full-time question inventors for every single full-time bot assistant.

I'm not even sure most users could be relied upon to come up with
original enough questions that *everybody* could answer. (Judging by
Aunt Tillie's small dictionary of passwords.) Bots would only need to
answer a small percentage of questions right, so they could simply
search for popular word combinations and link them to the answers (e.g.
'President', 'America' -> 'Bush')


> > The image (captcha) and audio tho should be
> > accessable enough for both bind and deaf people to use 

Yes. And thanks to Hashcash most destop client users won't need to pass
any challenges at all. See work in progress:
http://www.clientside.co.uk/jeps/jep-challenge/jep-challenge.html#captch
a-intro

> What about deaf people?

Wouldn't they just use the visual challenges?


I don't know about everyone else, but I'm getting tired of this "text
CAPTCHA vs multimedia CAPTCHA" topic. Sander, the text questions and
answers you suggested are part of the proto-JEP, thank you for the idea.
:) If they prove to be the best challenges, then people *will* use them
instead of the multimedia CAPTCHAs.

*Please remember that the flexibility and extensibility of the protocol
means we don't need to care which challenges will be best now or at any
time in the future.*

- Ian




More information about the Standards mailing list