On Thu, Jan 24, 2013 at 5:48 AM, Rich Kulawiec <rsk@gsp.org> wrote:
On Wed, Jan 23, 2013 at 01:20:07PM +0100, . wrote:
CAPTCHAS are a "defense in depth" that reduce the number of spam incidents to a number manageable by humans.
No, they do not. If you had actually bothered to read the links that I provided, or simply to pay attention over the last several years, you would know that captchas are not any kind of defense at all.
They're like holding up tissue paper in front of a tank: worthless.
(Yes, yes, I'm well aware that many people will claim that *their* captchas work. They're wrong, of course: their captchas are just as worthless as everyone else's. They simply haven't been competently attacked yet. And relying on either the ineptness or the laziness of attackers is a very poor security strategy.)
---rsk
It's true that relying on the laziness of attackers is statistically useful, but as soon as one becomes an interesting enough target that the professionals aim, then professional grade tools (which walz through captchas more effectively than normal users can, by far) make them useless. I disagree that they're entirely ineffective. The famous Wiley cartoon (found also in the frontspiece of the original Firewalls book...) "You have to be this tall to storm the castle" does apply. But knowing the relative height and availability of storm-the-captcha tools is important. They are out there, pros use them all the time, they are entirely effective. -- -george william herbert george.herbert@gmail.com