My replies keep going to the original author. Grr.
Anyway, yeah, completely agree. Y’all who trumpet CAPTCHA as the FUSSP need to know who’s on the opposing team: http://scraping.pro/8-best-captcha-solving-services-and-tools/ You’re going to need to think about an SMS challenge as a basic, entry level requirement. Aloha, Michael. -- Michael J Wise Microsoft Corporation| Spam Analysis "Your Spam Specimen Has Been Processed." Got the Junk Mail Reporting Tool<http://www.microsoft.com/en-us/download/details.aspx?id=18275> ? -----Original Message----- From: mailop <mailop-boun...@mailop.org> On Behalf Of Rich Kulawiec via mailop Sent: Thursday, May 9, 2019 2:54 PM To: mailop@mailop.org Subject: Re: [mailop] Howto be a good mailop (best practice / insights wanted) On Thu, May 09, 2019 at 09:26:50AM -0400, Rob McEwen via mailop wrote: > you should strongly encourage your customers to captcha-protect their > signup forms to prevent bots from signing up spamtrap addresses. No, you shouldn't. I'm going to quote something that I just sent elsewhere, so my apologies to anyone who's seen it. Captchas are a worst practice. They can be and are defeated at will by any adversary who can trouble themselves to do so. [1] They're security theater: think Wile E. Coyote holding an umbrella over his head while a boulder drops toward him. [2] Worth noting as well are (a) the continued and accelerating convergence of the trend lines denoting "captcha hard enough to defeat automation" and "captcha easy enough to be solvable by humans" and (b) the onerous additional burden that these often place on people who have diminished eyesight and hearing, who are part of different cultures, etc. There are far better ways to defend resources, and -- judiciously deployed -- these methods are not nearly as susceptible to adversarial manipulation, nor do they make life more difficult for people whose lives are arguably difficult enough already. ---rsk [1] Here's an example of what I mean by "defeated at will": Wiseguys Indicted in $25 Million Online Ticket Ring | Threat Level | Wired.com https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wired.com%2Fthreatlevel%2F2010%2F03%2Fwiseguys-indicted%2F&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=nQA9YpkXlpMYs0d5qI7vvtPMoP%2B%2BUY7xsQuXOiZ7jp8%3D&reserved=0 [2] A partial list of references follows. Do note that the contemporary state of the art in captcha-defeating techniques is much more advanced than any of these suggest. Of course it is: attacks always get better - they never get worse. (h/t to Bruce Schneier) Also, there's plenty of funding -- see footnote [1] above -- available to support research and development in this area that will NOT be helpfully published in blogs or journals. So consider what is enumerated below as the lower bound of what *was* possible and extrapolate markedly upwards to estimate what *is* currently available. Stanford researchers outsmart captcha codes https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.physorg.com%2Fnews%2F2011-11-stanford-outsmart-captcha-codes.html&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=AO%2BhAUVSgXsSsnB%2Bg29mpZB5v0V52YaCIUWolM%2B0x%2B8%3D&reserved=0 CIntruder: pentesting tool to bypass captchas https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcintruder.sourceforge.net%2F&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=PrdAVLPG3OW7hwZsctUKvPTqHevEbT4SM354e5Iif%2Bw%3D&reserved=0 How a trio of hackers brought Google's reCAPTCHA to its knees | Ars Technica https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Farstechnica.com%2Fsecurity%2F2012%2F05%2Fgoogle-recaptcha-brought-to-its-knees%2F&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=etl0tN7yv86ABF1kVR2jITgY%2Fh7neRxTptqzKXQ38Ls%3D&reserved=0 Snapchat Account Registration CAPTCHA Defeated - Slashdot https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fit.slashdot.org%2Fstory%2F14%2F01%2F23%2F2037201%2Fsnapchat-account-registration-captcha-defeated&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=FtdQqZUTvTohCo5bBdD5n9Wd0BQTtbDCtmK5tOMNp%2Fg%3D&reserved=0 Gone in 60 seconds: Spambot cracks Live Hotmail CAPTCHA https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Farstechnica.com%2Fnews.ars%2Fpost%2F20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=0uCp03EJeLieLa85psnC42mPFIGyhP7piB13oywuIrk%3D&reserved=0 Troy Hunt: Breaking CAPTCHA with automated humans https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.troyhunt.com%2F2012%2F01%2Fbreaking-captcha-with-automated-humans.html&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=QG20ON%2FmKKU04PSWk6Cdw728cV83YWIDZfLqVS0UjTc%3D&reserved=0 Slashdot | Now Even Photo CAPTCHAs Have Been Cracked https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fit.slashdot.org%2Farticle.pl%3Fsid%3D08%2F10%2F14%2F1442213&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432191620&sdata=gmcywid4DJleKg8F1%2BVopHPuobSjMNrnbI3bVPocopw%3D&reserved=0 Cheap CAPTCHA Solving Changes the Security Game https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffreedom-to-tinker.com%2Fblog%2Ffelten%2Fcheap-captcha-solving-changes-security-game%2F&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432191620&sdata=dHZiNqn7jOon5HJiH8mFKMZfEiHjofOjegVEJ6HuR9s%3D&reserved=0 unCAPTCHA Breaks 450 ReCAPTCHAs in Under 6 Seconds https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Ftechnology%2Funcaptcha-breaks-450-recaptchas-in-under-6-seconds%2F&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432191620&sdata=1XRoLHKsVxb1h25srkn4CEtpe7QHq5ICxdhFTHPbsTw%3D&reserved=0 _______________________________________________ mailop mailing list mailop@mailop.org<mailto:mailop@mailop.org> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailop&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432191620&sdata=mZVeD5qo0%2FU3rojiXXGpZ3Pmj3nOT1qf1tAmE0KV8g4%3D&reserved=0
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop