[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: hashcash and captchas (Was: Gentoo's response on them blocking access to their forums via Tor)

On 8/8/05, Matthias Fischmann <fis@xxxxxxxxxxxxxxxxx> wrote:
> (you all know the standard way to circumvent captchas, but just to be
> sure i'll mention it again: open up a porn site, promise free porn to
> whoever solves a few captchas for you, and have your bots proxy the
> challenges they cannot solve by themselves to an instantly available
> abundance of strangers who are eager to do help.  of course this is an
> option for more determined attackers only.)

OCR is getting pretty good to. There are a couple of good links in 

>     Ben Laurie and Richard Clayton
>     "Proof-of-Work" Proves Not to Work
>     The Third Annual Workshop on Economics and Information Security (WEIS04)
>     http://www.cl.cam.ac.uk/users/rnc1/proofwork.pdf
> i don't know, but it's inspiring.  if anybody has an opinion on this
> i'm all ears.

I'm likewise very sceptical about hashcash for most of the reasons
outlined in that paper:
  * The range in performance of different hardware is so huge
  * It's pretty easy to harness CPU time, either by using
university(etc) lab machines or rooted Windows boxes.

CAPTCHAs are much better in both those respects. Setting up
distributed wet-ware networks (people paid with porn or workers in
some 3rd world country) is a risk. So it OCRing the captcha. The
latter is a techincal problem until we have a Turing complete AI and
the former is hardly the realm of Wikipedia morons and IRC trolls.

But despite these problems I don't see that there are many other
options. Wikipedia, Gentoo forums and friends have made it very clear
that they need a stick to hit some users with. At the moment that
stick is the banning of a scarce resource (IP addresses). Their
reaction to something which breaks this system (Tor) is to remove it.

We all know that authentication based on IP is bad, both from a
geek-ick reaction and the fact that it's hurting any anonymity on the
net. Setting up some other form of stick is a must I believe.

My plan was to make OpenID[1] widely usable[2], create a way to use
CAPTCHAs[3] to establish a proof of work and then to patch an IRCd to
allow Tor connections so long as they had a proof-of-work'ed OpenID

As so often happens, I got a little side tracked. But if someone wants
to push things for a little I might get back to it.

[1] http://www.openid.net
[2] http://openid.imperialviolet.org
[3] http://www.imperialviolet.org/captcha.html


Adam Langley                                      agl@xxxxxxxxxxxxxxxxxx
http://www.imperialviolet.org                       (+44) (0)7906 332512
PGP: 9113   256A   CC0F   71A6   4C84   5087   CDA5   52DF   2CB6   3D60