That's my point (in a way). Image-based captchas are not that difficult to bypass, so if individual sites didn't use a captcha on all new registrations, it makes it easier for the spammer to target the OpenID provider(s) instead to create thousands of accounts to use on tens of thousands of websites until it gets shut down. Anyway, the Lemur catta idea is interesting, which is why I mentioned it. And the good part is that so few blogs use it that spammers have no incentive to make an effort to even bruteforce that kind of method, provided it is implemented slightly differently everywhere. Which is pretty much all we can do at this point in terms of these kinds of captchas. Now, whoever thinks of something better will then have hordes of VC firms running after them, grin.
Your point about blogs is one to think about, but then when you realize what kind of thing MySpace, Facebook, AOL and others are doing, they have a bigger incentive to make themselves one of the bigger OpenID providers and don't have an incentive to really *trust* one another. Identity matters even more on sites like those, and I just can't see some of the things you'd like happen happen, especially but not exclusive to OpenID. I would love to see something like OpenID involve more accessibility and trust, but don't forget there are problems even if that happened. One provider, a single point of attack, possibly huge implications and possibilities by breaching, storing all your eggs in one basket, whatever you want to call it. And just on principle, a lot of companies wouldn't be happy about any de facto provider because it's not them. Soooo...it's going to be a long, hard, difficult path. cheers, jane On Wed, Oct 8, 2008 at 10:56 AM, Chris Blouch <[EMAIL PROTECTED]> wrote: > Top posting just because I'm lazy <smile> > > The main problem isn't spammers getting through captcha and creating one > account, it's spammers generating hundreds or thousands of accounts. That's > really the only way they can send out millions of spams without getting shut > down by filters. So they take a few thousand email addresses and send 100 > mails from each of them to obscure the source. Anything which lowers the > barrier to entry such that an algorithm can generate an account is going to > attract bad behavior. > > The Lemur CATTA is an interesting idea. I'll have to pass that around. They > do suggest presenting text as images which is an accessibility issue but the > basic idea has merit. In level 2 it also suggest manually generating the > questions which means a pretty small defined set, something a spammer could > sniff out with their software. So even if you have 100 questions, that > leaves a 1:100 chance of getting it right by brute force. So they just have > to try 100,000 times to generate 1000 bogus accounts. This is easily done > through an army of zombies in a bot net. Of course CATTA asking 10% of a > companies profits to use their software probably won't go anywhere. > > The profits to be made and the ingenuity of the spammers is really quite > amazing. It's not just some kid in the basement fooling around for fun > anymore. It's organized paid professionals making bags of bucks by > circumventing security. Blogs have limited reach and live under some measure > of security by obscurity. It's the Hotmails, Gmails, AOL mails, Facebooks > and MySpaces of the world that have the most trouble and need a good > solution. We need accessible solutions to prevent locking folks out from > popular services. > > CB > >
