I never claimed that CAPTCHA is FUSSP - it isn't. ("strawman's arg") And
I realize that CAPTCHA can be defeated. That part wasn't news to me.
HOWEVER:
(1) never let the quest for perfection get in the way of achievable
incremental improvements (which is EXACTLY what Rich and Michael are doing!)
(2) just because a criminal or spammer *can* do something - doesn't mean
that it is feasible or easy or economical for them to deploy that
strategy EVERYWHERE - which is what their arguments against
CAPTCHA-protecting forms require.
(3) NOT every web form or "lead magnet" page is a big target. For every
one such form on a large Fortune 100 company's site (like what Michael
has to deal with) - for every one such high-profile form - there are
literally hundreds of thousands of web forms on small sole proprietor's
web sites and other small and medium-sized businesses' web sites. In
MOST of the instances where a bot does submissions to their forms, the
botmaster is simply not going to consider it worth the cost/effort to
try to defeat CAPTCHA, should that be added.
(4) Many of those SAME organizations are going to find adding CAPTCHA
their webform - to be relatively easy and within their budget or within
their internal technical abilities. SMS... not so much. And many
automated SMS implementation are costly - often costing about 10K/year
just to get onboard ("let them eat cake" - is how this is starting to
come across... I'm sure that is chump changes to many of you reading
this - but for many "mom and pop" companies running "lead magnets" web
forms for their small-ish ecommerce business - that is NOT affordable.)
(5) meanwhile, a massive percentage of sites are doing NONE of this. It
would be better for them to do CAPTCHA than nothing. Even though CAPTCHA
can be defeated, most of those sites are visible enough to have their
forms attacked by bots, but likely too small for a spammer or hacker to
find it worth their time to use CAPTCHA-defeating techniques on them.
(Plus - when I brought this up - I was originally referring to signup
forms - not login forms. I think that point got confused, too.)
Rob McEwen
On 5/9/2019 6:10 PM, Michael Wise via mailop wrote:
Y’all who trumpet CAPTCHA as the FUSSP need to know who’s on the
opposing team:
http://scraping.pro/8-best-captcha-solving-services-and-tools/
<http://scraping.pro/8-best-captcha-solving-services-and-tools/>
You’re going to need to think about an SMS challenge as a basic, entry
level requirement.
-AND-
On 5/9/2019 5:53 PM, Rich Kulawiec via mailop wrote:
No, you shouldn't. I'm going to quote something that I just sent
elsewhere, so my apologies to anyone who's seen it.
Captchas are a worst practice.<snip>
--
Rob McEwen
https://www.invaluement.com
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop