[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: hashcash and captchas (Was: Gentoo's response on them blocking access to their forums via Tor)
On 8/8/05, Matthias Fischmann <fis@xxxxxxxxxxxxxxxxx> wrote:
> (you all know the standard way to circumvent captchas, but just to be
> sure i'll mention it again: open up a porn site, promise free porn to
> whoever solves a few captchas for you, and have your bots proxy the
> challenges they cannot solve by themselves to an instantly available
> abundance of strangers who are eager to do help. of course this is an
> option for more determined attackers only.)
OCR is getting pretty good to. There are a couple of good links in
http://www.imperialviolet.org/page26.html#e509
> Ben Laurie and Richard Clayton
> "Proof-of-Work" Proves Not to Work
> The Third Annual Workshop on Economics and Information Security (WEIS04)
> http://www.cl.cam.ac.uk/users/rnc1/proofwork.pdf
> i don't know, but it's inspiring. if anybody has an opinion on this
> i'm all ears.
I'm likewise very sceptical about hashcash for most of the reasons
outlined in that paper:
* The range in performance of different hardware is so huge
* It's pretty easy to harness CPU time, either by using
university(etc) lab machines or rooted Windows boxes.
CAPTCHAs are much better in both those respects. Setting up
distributed wet-ware networks (people paid with porn or workers in
some 3rd world country) is a risk. So it OCRing the captcha. The
latter is a techincal problem until we have a Turing complete AI and
the former is hardly the realm of Wikipedia morons and IRC trolls.
But despite these problems I don't see that there are many other
options. Wikipedia, Gentoo forums and friends have made it very clear
that they need a stick to hit some users with. At the moment that
stick is the banning of a scarce resource (IP addresses). Their
reaction to something which breaks this system (Tor) is to remove it.
We all know that authentication based on IP is bad, both from a
geek-ick reaction and the fact that it's hurting any anonymity on the
net. Setting up some other form of stick is a must I believe.
My plan was to make OpenID[1] widely usable[2], create a way to use
CAPTCHAs[3] to establish a proof of work and then to patch an IRCd to
allow Tor connections so long as they had a proof-of-work'ed OpenID
identity.
As so often happens, I got a little side tracked. But if someone wants
to push things for a little I might get back to it.
[1] http://www.openid.net
[2] http://openid.imperialviolet.org
[3] http://www.imperialviolet.org/captcha.html
AGL
--
Adam Langley agl@xxxxxxxxxxxxxxxxxx
http://www.imperialviolet.org (+44) (0)7906 332512
PGP: 9113 256A CC0F 71A6 4C84 5087 CDA5 52DF 2CB6 3D60