On Thu, Jan 24, 2013 at 11:00:50AM -0500, Andrew Sullivan wrote: > On Thu, Jan 24, 2013 at 09:50:15AM -0600, Joe Greco wrote: > > > A CAPTCHA doesn't need to be successful against every possible threat, > > it merely needs to be effective against some types of threats. For > > example, web pages that protect resources with a CAPTCHA are great at > > making it much more difficult for someone with l33t wget skills from > > scraping a website. > > Well, yes and no. Lately, AFAICT, most CAPTCHAs have been so > successfully attacked by wgetters that they're quite easy for machines > to break, but difficult for humans to use. For example, I can testify > that I now fail about 25% of the reCAPTCHA challenges I perform, > because the images are so distorted I just can't make them out (it's > much worse on my mobile, given the combination if its small screen and > my middle-aged eyes). > > So it's now more like airport security: a big hassle for the > legitimate users but not really much of a barrier for a real > attacker. A poor trade-off.
"A Modest Proposal": Maybe we need to turn it around and fail on successful recognition of the CAPTCHA, then? -- Mike Andrews, W5EGO [email protected] Tired old sysadmin
