[Pmwiki-users] Hashcash ... an interesting idea for preventingspan

Neil Herber nospam
Fri Dec 3 22:12:25 CST 2004


At 2004-12-03  09:09 AM -0500, Russ Fink is rumored to have said:
>Captcha's are a bit harder, because the claim is that given the present 
>art of computer science, only humans can discern the letters/numbers 
>within the images.  I've seen a few of these, and note that many involve 
>criss-cross lines and other obvious artifacts.  IMHO, it is only a matter 
>of time before computational geometry and image recognition are able to 
>overcome these limitations.  When they do, there is still computational 
>cost associated with it, and thus protection from captchas reduces to the 
>same effect as hashcash.

My understanding is that hashcash places a computational burden on the user 
in an attempt to reduce the rate at which the user can perform edits (or 
distribute spam). The suggestion posted elsewhere in this thread that 
PmWiki could just pause for a while before posting the edit moves the 
burden to the server, and would probably not prevent a user from having 
several edits going in parallel.

One of the control mechanisms employed by PHPBB is a "Flood Interval", 
which is the number of seconds a user must wait between posts. I am not 
sure if this is enforced by login name (because you can post anonymously, 
if allowed) or by IP. Presumably PmWiki could do the same if it has a way 
of preserving persistent data about IPs and posting times. I am not sure if 
this would penalize multiple users behind a proxy or NAT box, because their 
IPs would be the same.

PHPBB also uses captchas during registration to prevent bot signup, but it 
turns out that there are many ways that captchas can be defeated. One 
involves "free porn" sites which require victims to register. The 
registration process actually serves the captcha image and input field 
proxied from the a targetted site to the victim, who fills it in. The 
victim gets no porn, and the rogue site has a valid registration on the 
target site. For more on this and other captcha defeats, see:

http://boingboing.net/2004/01/27/solving_and_creating.html
http://www.captcha.net/

It also appears that some captchas (gimpy) can now be machine recognized 92 
percent of the time, and are thus useless.

http://www.cs.berkeley.edu/~mori/gimpy/gimpy.html

One property of these distorted-word captchas is that they effectively lock 
out visually impaired users, but there are also aural captchas - distorted 
sounds you must identify.

Readers who have slogged through all of this may be tempted to ask:"What is 
the point?" My point is that the human-based solutions (monitoring RSS, 
link approval, etc.) are probably the best thing to do if you want to have 
a Wiki open to the world. If you have a less open Wiki, require 
registration or put it behind HTTP Basic Authentication.


Neil

Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668 




More information about the pmwiki-users mailing list