[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: hashcash and captchas (Was: Gentoo's response on them blocking access to their forums via Tor)

To: or-talk@xxxxxxxxxxxxx
Subject: Re: hashcash and captchas (Was: Gentoo's response on them blocking access to their forums via Tor)
From: Adam Langley <alangley@xxxxxxxxx>
Date: Mon, 8 Aug 2005 23:29:06 +0100
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Mon, 08 Aug 2005 18:29:25 -0400
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=K+rTPBD4hSXkfiHk05w6FHUlrq5Z10iqzAEb6MjyKPzKcy4ZiRkUizPd3VRtft1LWfwshnopiVAVABLTsZTQo62lPVcWNY5ADlSn8mV+5HXPMJfU3IDNCiXHdEmRQ/angGsXAOrlpaLAb2LX4iktqr5NMPi4NOOc0awrRioxqqM=
In-reply-to: <20050808215351.GA9717@localhost.localdomain>
References: <20050808184817.46421.qmail@web30707.mail.mud.yahoo.com> <42F7AB23.70805@eff.org> <4f9bdc4c050808135227fea264@mail.gmail.com> <396556a20508081413580d42e2@mail.gmail.com> <20050808215351.GA9717@localhost.localdomain>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

On 8/8/05, Matthias Fischmann <fis@xxxxxxxxxxxxxxxxx> wrote:
> (you all know the standard way to circumvent captchas, but just to be
> sure i'll mention it again: open up a porn site, promise free porn to
> whoever solves a few captchas for you, and have your bots proxy the
> challenges they cannot solve by themselves to an instantly available
> abundance of strangers who are eager to do help.  of course this is an
> option for more determined attackers only.)

OCR is getting pretty good to. There are a couple of good links in 
http://www.imperialviolet.org/page26.html#e509

>     Ben Laurie and Richard Clayton
>     "Proof-of-Work" Proves Not to Work
>     The Third Annual Workshop on Economics and Information Security (WEIS04)
>     http://www.cl.cam.ac.uk/users/rnc1/proofwork.pdf
> i don't know, but it's inspiring.  if anybody has an opinion on this
> i'm all ears.

I'm likewise very sceptical about hashcash for most of the reasons
outlined in that paper:
  * The range in performance of different hardware is so huge
  * It's pretty easy to harness CPU time, either by using
university(etc) lab machines or rooted Windows boxes.

CAPTCHAs are much better in both those respects. Setting up
distributed wet-ware networks (people paid with porn or workers in
some 3rd world country) is a risk. So it OCRing the captcha. The
latter is a techincal problem until we have a Turing complete AI and
the former is hardly the realm of Wikipedia morons and IRC trolls.

But despite these problems I don't see that there are many other
options. Wikipedia, Gentoo forums and friends have made it very clear
that they need a stick to hit some users with. At the moment that
stick is the banning of a scarce resource (IP addresses). Their
reaction to something which breaks this system (Tor) is to remove it.

We all know that authentication based on IP is bad, both from a
geek-ick reaction and the fact that it's hurting any anonymity on the
net. Setting up some other form of stick is a must I believe.

My plan was to make OpenID[1] widely usable[2], create a way to use
CAPTCHAs[3] to establish a proof of work and then to patch an IRCd to
allow Tor connections so long as they had a proof-of-work'ed OpenID
identity.

As so often happens, I got a little side tracked. But if someone wants
to push things for a little I might get back to it.

[1] http://www.openid.net
[2] http://openid.imperialviolet.org
[3] http://www.imperialviolet.org/captcha.html

AGL

-- 
Adam Langley                                      agl@xxxxxxxxxxxxxxxxxx
http://www.imperialviolet.org                       (+44) (0)7906 332512
PGP: 9113   256A   CC0F   71A6   4C84   5087   CDA5   52DF   2CB6   3D60

References:
- Re: Gentoo's response on them blocking access to their forums via Tor
  - From: Sean
- Re: Gentoo's response on them blocking access to their forums via Tor
  - From: Chris Palmer
- Re: Gentoo's response on them blocking access to their forums via Tor
  - From: Joel Franusic
- Re: Gentoo's response on them blocking access to their forums via Tor
  - From: Adam Langley
- hashcash and captchas (Was: Gentoo's response on them blocking access to their forums via Tor)
  - From: Matthias Fischmann

Prev by Author: Re: Gentoo's response on them blocking access to their forums via Tor
Next by Author: Re: DNS_leaks
Previous by thread: hashcash and captchas (Was: Gentoo's response on them blocking access to their forums via Tor)
Next by thread: Re: Gentoo's response on them blocking access to their forums via Tor
Index(es):
- Author
- Thread