Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Helder .]

On Tue, Jan 22, 2013 at 5:18 PM, Luke Welling WMF
 wrote:
> That was not the end of the problem I was referring to. We know our
> specific captcha is broken at turning away machines. As far as I am aware
> we do not know how many humans are being turned away by the difficulty of
> it.  It's a safe bet that it is non-zero given the manual account requests
> we get, but given that we have people to do those kinds of experiments it
> would make sense to get a number from them before making any drastic
> decisions based on a reasonable gut feeling.  I don't think anybody claims
> to have a perfect solution to the spam vs usability balancing act, so it's
> possible we'll try (and measure) a few approaches.

I think the impact on humans will be mensurable once actions which
trigger a CAPTCHA are logged:
https://bugzilla.wikimedia.org/show_bug.cgi?id=41522
https://gerrit.wikimedia.org/r/#/c/40553/

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Luke Welling WMF]

I don't know if we are talking at cross purposes, or if I missed it, but
this paper:
http://elie.im/publication/text-based-captcha-strengths-and-weaknesses
does not try to answer my question.

What I want to know is "*How many humans get turned away from editing
Wikipedia by a difficult captcha?*"

The same authors have:
http://elie.im/publication/how-good-are-humans-at-solving-captchas-a-large-scale-evaluation
which is closer to what I want to know.  They show humans solving different
text based captures with an accuracy rate of 70% to 98%. Unfortunately,
Wikipedia was not one of the captcha schemes they used in that study, and
they don't attempt to measure how many people try again if they fail.

If 2% of people fail on the first try but 90% of the fails reattempt and
only 1% fail a second time that's an inconvenience, but probably worth it
if it reduces the inconvenience of spam.

If 30% of people fail on the first try and 90% of them give up and never
try to edit again, that's a disaster.

Luke




On Wed, Jan 23, 2013 at 12:24 AM, Federico Leva (Nemo)
wrote:

> Luke, "we do not know how many humans are being turned away by the
> difficulty": actually we sort of do, that paper tells this as well. It's
> where their study came from, and gives recommendations on what captcha
> techniques are best for balancing efficacy with difficulty for humans. We
> don't seem to be following any (except waving, which, they say, shouldn't
> be used alone).
> Then, I'm not qualified to say if their recommendations are the best and
> I've not searched other studies, but it's not correct to say that we start
> from zero or that we have to study by ourselves (an unreasonable
> requirement that implies we'll never change anything until we'll be forced
> to make our wikis read-only due to spam, as many MediaWiki users before us).
>
>
> Nemo
>
> __**_
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/**mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Federico Leva (Nemo)]

Luke, "we do not know how many humans are being turned away by the 
difficulty": actually we sort of do, that paper tells this as well. It's 
where their study came from, and gives recommendations on what captcha 
techniques are best for balancing efficacy with difficulty for humans. 
We don't seem to be following any (except waving, which, they say, 
shouldn't be used alone).
Then, I'm not qualified to say if their recommendations are the best and 
I've not searched other studies, but it's not correct to say that we 
start from zero or that we have to study by ourselves (an unreasonable 
requirement that implies we'll never change anything until we'll be 
forced to make our wikis read-only due to spam, as many MediaWiki users 
before us).


Nemo

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Nikola Smolenski]

On 22/01/13 18:43, David Gerard wrote:

On 22 January 2013 17:37,   wrote:

Per the previous comments in this post, anything over 1% precision
should be regarded as failure, and our Fancy Captcha was at 25% a year
ago. So yeah, approximately all, and our captcha is well known to
actually suck.



Maybe you'll just use recaptcha instead of fancycaptcha?


The problem is that reCaptcha (a) used as a service, would pass
private user data to a third party (b) is closed source, so we can' t
just put up our own instance. Has anyone reimplemented it or any of
it? There's piles of stuff on Wikisource we could feed it, for
example.


http://wikimania2012.wikimedia.org/wiki/Submissions/Wikicaptcha:_a_ReCAPTCHA-like_solution_for_Wikisource

https://github.com/CristianCantoro/wikicaptcha

I don't know what ultimately came of it.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Why are we still using captchas on WMF sites?

[John Vandenberg]

There is a Firefox extension to get past the captchas...

-- Forwarded message --
From: Graham Pearce 
Date: Wed, Jan 23, 2013 at 5:41 PM
Subject: Re: Fwd: [Wikitech-l] Why are we still using captchas on WMF sites?
To: John Vandenberg 


Yes, I have. There isn't an essay about it as such, but in this edit to the help
page about using JAWS:
http://en.wikipedia.org/w/index.php?title=Wikipedia:Using_JAWS&diff=32016&oldid=320037024

I offered to help people use WebVisum, a Firefox extension to get past
the captchas:
http://webvisum.com

It's an invite-only system. Nobody took up my offer, but I notice now
that there's a page to request invitations:
http://www.webvisum.com/en/main/invitationrequest

So maybe it's not so necessary ...

Feel free to pass this reply on to whoever you like.

Graham


On 23/01/2013 12:07 PM, John Vandenberg wrote:
>
> Have you heard about this?
>
> is there a wiki essay about this accessibility problem?
>
>
> -- Forwarded message --
> From: Chris Grant 
> Date: Wed, Jan 23, 2013 at 2:33 PM
> Subject: Re: [Wikitech-l] Why are we still using captchas on WMF sites?
> To: Wikimedia developers 
>
>
> On Wed, Jan 23, 2013 at 3:53 AM, Bawolff Bawolff  wrote:
>>
>> Someone should write a browser addon to automatically decode and fill in
>> captchas for blind users. (Only half joking)
>
> Don't joke, I have a blind relative who's screen reader does just that
> (simple captchas only).
>
> There are other services like http://www.azavia.com/zcaptcha which is
> specifically for the blind, but hell its probably cheaper to use the same
> captcha reading services that the spammers do.
>
> -- Chris
>
> On Wed, Jan 23, 2013 at 3:53 AM, Bawolff Bawolff  wrote:
>
>> On 2013-01-22 3:30 PM, "aude"  wrote:
>>>
>>> On Tue, Jan 22, 2013 at 8:18 PM, Luke Welling WMF <
>>
>> lwell...@wikimedia.org
>>>
>>> wrote:
>>>
>>>> That was not the end of the problem I was referring to. We know our
>>>> specific captcha is broken at turning away machines. As far as I am
>>
>> aware
>>>>
>>>> we do not know how many humans are being turned away by the difficulty
>>
>> of
>>>>
>>>> it.
>>>
>>>
>>> It's at least impossible for blind users to solve the captcha, without an
>>> audio captcha.  (unless they manage to find the toolserver account
>>
>> creation
>>>
>>> thing and enough motivated to do that)
>>>
>>> I am not convinced of the benefits of captcha versus other spam filtering
>>> techniques.
>>>
>>> Cheers,
>>> Katie
>>>
>>>
>>>
>> Someone should write a browser addon to automatically decode and fill in
>> captchas for blind users. (Only half joking)
>>
>> -bawolff
>> __**_
>>>>>
>>>>> Wikitech-l mailing list
>>>>> Wikitech-l@lists.wikimedia.org
>>>>> https://lists.wikimedia.org/**mailman/listinfo/wikitech-l<
>>>>
>>>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l>
>>>> ___
>>>> Wikitech-l mailing list
>>>> Wikitech-l@lists.wikimedia.org
>>>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>>>>
>>>
>>>
>>> --
>>> @wikimediadc / @wikidata
>>> ___
>>> Wikitech-l mailing list
>>> Wikitech-l@lists.wikimedia.org
>>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>>
>> ___
>> Wikitech-l mailing list
>> Wikitech-l@lists.wikimedia.org
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
>



-- 
John Vandenberg

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Chris Grant]

On Wed, Jan 23, 2013 at 3:53 AM, Bawolff Bawolff  wrote:
> Someone should write a browser addon to automatically decode and fill in
> captchas for blind users. (Only half joking)

Don't joke, I have a blind relative who's screen reader does just that
(simple captchas only).

There are other services like http://www.azavia.com/zcaptcha which is
specifically for the blind, but hell its probably cheaper to use the same
captcha reading services that the spammers do.

-- Chris

On Wed, Jan 23, 2013 at 3:53 AM, Bawolff Bawolff  wrote:

> On 2013-01-22 3:30 PM, "aude"  wrote:
> >
> > On Tue, Jan 22, 2013 at 8:18 PM, Luke Welling WMF <
> lwell...@wikimedia.org
> >wrote:
> >
> > > That was not the end of the problem I was referring to. We know our
> > > specific captcha is broken at turning away machines. As far as I am
> aware
> > > we do not know how many humans are being turned away by the difficulty
> of
> > > it.
> >
> >
> > It's at least impossible for blind users to solve the captcha, without an
> > audio captcha.  (unless they manage to find the toolserver account
> creation
> > thing and enough motivated to do that)
> >
> > I am not convinced of the benefits of captcha versus other spam filtering
> > techniques.
> >
> > Cheers,
> > Katie
> >
> >
> >
>
> Someone should write a browser addon to automatically decode and fill in
> captchas for blind users. (Only half joking)
>
> -bawolff
> __**_
> > > > Wikitech-l mailing list
> > > > Wikitech-l@lists.wikimedia.org
> > > > https://lists.wikimedia.org/**mailman/listinfo/wikitech-l<
> > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l>
> > > >
> > > ___
> > > Wikitech-l mailing list
> > > Wikitech-l@lists.wikimedia.org
> > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> > >
> >
> >
> >
> > --
> > @wikimediadc / @wikidata
> > ___
> > Wikitech-l mailing list
> > Wikitech-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Bawolff Bawolff]

On 2013-01-22 3:30 PM, "aude"  wrote:
>
> On Tue, Jan 22, 2013 at 8:18 PM, Luke Welling WMF wrote:
>
> > That was not the end of the problem I was referring to. We know our
> > specific captcha is broken at turning away machines. As far as I am
aware
> > we do not know how many humans are being turned away by the difficulty
of
> > it.
>
>
> It's at least impossible for blind users to solve the captcha, without an
> audio captcha.  (unless they manage to find the toolserver account
creation
> thing and enough motivated to do that)
>
> I am not convinced of the benefits of captcha versus other spam filtering
> techniques.
>
> Cheers,
> Katie
>
>
>

Someone should write a browser addon to automatically decode and fill in
captchas for blind users. (Only half joking)

-bawolff
__**_
> > > Wikitech-l mailing list
> > > Wikitech-l@lists.wikimedia.org
> > > https://lists.wikimedia.org/**mailman/listinfo/wikitech-l<
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l>
> > >
> > ___
> > Wikitech-l mailing list
> > Wikitech-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >
>
>
>
> --
> @wikimediadc / @wikidata
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[aude]

On Tue, Jan 22, 2013 at 8:18 PM, Luke Welling WMF wrote:

> That was not the end of the problem I was referring to. We know our
> specific captcha is broken at turning away machines. As far as I am aware
> we do not know how many humans are being turned away by the difficulty of
> it.


It's at least impossible for blind users to solve the captcha, without an
audio captcha.  (unless they manage to find the toolserver account creation
thing and enough motivated to do that)

I am not convinced of the benefits of captcha versus other spam filtering
techniques.

Cheers,
Katie



> It's a safe bet that it is non-zero given the manual account requests
> we get, but given that we have people to do those kinds of experiments it
> would make sense to get a number from them before making any drastic
> decisions based on a reasonable gut feeling.  I don't think anybody claims
> to have a perfect solution to the spam vs usability balancing act, so it's
> possible we'll try (and measure) a few approaches.
>
> Luke
>
>
> On Tue, Jan 22, 2013 at 10:16 AM, Federico Leva (Nemo)
> wrote:
>
> > Luke, sorry for reiterating, but «brainstorm solutions to a "problem"
> > before we measure the extent of the problem» is wrong: it's already been
> > measured by others, see the other posts...
> >
> > Nemo
> >
> >
> > __**_
> > Wikitech-l mailing list
> > Wikitech-l@lists.wikimedia.org
> > https://lists.wikimedia.org/**mailman/listinfo/wikitech-l<
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l>
> >
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>



-- 
@wikimediadc / @wikidata
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Luke Welling WMF]

That was not the end of the problem I was referring to. We know our
specific captcha is broken at turning away machines. As far as I am aware
we do not know how many humans are being turned away by the difficulty of
it.  It's a safe bet that it is non-zero given the manual account requests
we get, but given that we have people to do those kinds of experiments it
would make sense to get a number from them before making any drastic
decisions based on a reasonable gut feeling.  I don't think anybody claims
to have a perfect solution to the spam vs usability balancing act, so it's
possible we'll try (and measure) a few approaches.

Luke


On Tue, Jan 22, 2013 at 10:16 AM, Federico Leva (Nemo)
wrote:

> Luke, sorry for reiterating, but «brainstorm solutions to a "problem"
> before we measure the extent of the problem» is wrong: it's already been
> measured by others, see the other posts...
>
> Nemo
>
>
> __**_
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/**mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Federico Leva (Nemo)]

Luke, sorry for reiterating, but «brainstorm solutions to a "problem" 
before we measure the extent of the problem» is wrong: it's already been 
measured by others, see the other posts...


Nemo

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[vitalif]

It's very good to discuss, but what are the other options to minimize 
spam?


(maybe I know one: find XRumer authors and tear their arms off... :-))

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[vitalif]

Luke Welling WMF писал 2013-01-22 21:59:
Even ignoring openness and privacy, exactly the same problems are 
present
with reCAPTCHA as with Fancy Captcha.  It's often very hard or 
impossible

for humans to read, and is a big enough target to have been broken by
various people.


It's very good to discuss, but what are the other options to minimize 
spam?


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Isarra Yos]

On 21/01/13 08:04, Chris Grant wrote:

Not sure about enwiki, but from my experience with hosting smaller wiki's
CAPTCHA's are pretty useless (reCAPTCHA, FancyCAPTCHA, some custom ones).

The spambots keep on flooding through.

I've found its much more effective to just use the AbuseFilter.

-- Chris
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


I've had a similar experience with what are probably similar projects. 
Abusefilter and phalanx do a lot more to actually block unwanted stuff 
than a simple captcha, and generally without disrupting good faith edits.


Also have the option to give the users more information about what to do 
in fuzzier cases, and why they need to... it's rather helpful when set 
up properly.


--
-— Isarra


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Luke Welling WMF]

Even ignoring openness and privacy, exactly the same problems are present
with reCAPTCHA as with Fancy Captcha.  It's often very hard or impossible
for humans to read, and is a big enough target to have been broken by
various people.

I don't know if it's constructive to brainstorm solutions to a "problem"
before we measure the extent of the problem, but a viable compromise is
very easy captchas.  Spammers vary a great deal in sophistication but if we
figure that any sophisticated enough to do any OCR are capable of finding
and downloading existing public exploits of ours, then a block capital
impact font captcha is equally easy for them, equally difficult for
unsophisticated spammers and much easier for sighted humans.

Luke


On Tue, Jan 22, 2013 at 9:45 AM, Arthur Richards wrote:

> On Tue, Jan 22, 2013 at 10:37 AM,  wrote:
>
> >
> >> Maybe you'll just use recaptcha instead of fancycaptcha?
> >
> >
> /me gets popcorn to watch recaptcha flame war
>
> There has been discussion on this list in the past about the use of
> recaptcha, but it has generally ended in a down-vote because reCaptcha is
> not open source (even though it supports free culture) nor is it something
> we can host on our own servers.
>
> --
> Arthur Richards
> Software Engineer, Mobile
> [[User:Awjrichards]]
> IRC: awjr
> +1-415-839-6885 x6687
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[vitalif]

The problem is that reCaptcha (a) used as a service, would pass
private user data to a third party (b) is closed source, so we can' t
just put up our own instance. Has anyone reimplemented it or any of
it? There's piles of stuff on Wikisource we could feed it, for
example.


OK, then we can take KCaptcha and integrate it as an extension.
It's russian project, I've used it many times. Seems to be rather 
strong.

http://www.captcha.ru/en/kcaptcha/


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Arthur Richards]

On Tue, Jan 22, 2013 at 10:37 AM,  wrote:

>
>> Maybe you'll just use recaptcha instead of fancycaptcha?
>
>
/me gets popcorn to watch recaptcha flame war

There has been discussion on this list in the past about the use of
recaptcha, but it has generally ended in a down-vote because reCaptcha is
not open source (even though it supports free culture) nor is it something
we can host on our own servers.

-- 
Arthur Richards
Software Engineer, Mobile
[[User:Awjrichards]]
IRC: awjr
+1-415-839-6885 x6687
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[David Gerard]

On 22 January 2013 17:37,   wrote:

>> Per the previous comments in this post, anything over 1% precision
>> should be regarded as failure, and our Fancy Captcha was at 25% a year
>> ago. So yeah, approximately all, and our captcha is well known to
>> actually suck.

> Maybe you'll just use recaptcha instead of fancycaptcha?


The problem is that reCaptcha (a) used as a service, would pass
private user data to a third party (b) is closed source, so we can' t
just put up our own instance. Has anyone reimplemented it or any of
it? There's piles of stuff on Wikisource we could feed it, for
example.


- d.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[vitalif]

Per the previous comments in this post, anything over 1% precision
should be regarded as failure, and our Fancy Captcha was at 25% a 
year

ago. So yeah, approximately all, and our captcha is well known to
actually suck.


Maybe you'll just use recaptcha instead of fancycaptcha?

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Andre Klapper]

On Tue, 2013-01-22 at 10:13 +0100, Nikola Smolenski wrote:
> A simple thing that could be done is to introduce localized captchas on 
> non-Latin wikis (just remember that not everyone has the appropriate 
> keyboard).

For the records, this is covered in
https://bugzilla.wikimedia.org/show_bug.cgi?id=5309

andre
-- 
Andre Klapper | Wikimedia Bugwrangler
http://blogs.gnome.org/aklapper/



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[MZMcBride]

Nikola Smolenski wrote:
>On 22/01/13 01:44, Bawolff Bawolff wrote:
>>Given that there are algorithms that can solve our captcha presumably
>>they are mostly preventing the lazy and those that don't have enough
>>knowledge to use those algorithims. I would guess that text on an image
>>without any blurring or manipulation would be just as hard for those
>>sorts of people to break. (Obviously that's a rather large guess). As a
>>compromise maybe we should have straight text in image captchas.
>
>A simple thing that could be done is to introduce localized captchas on
>non-Latin wikis (just remember that not everyone has the appropriate
>keyboard). This would mean that new captcha-cracking algorithms would
>need to be developed for each script, and if the wikis are small,
>spammers would not bother.

Any developer interested in Wikimedia wiki CAPTCHAs should look at
. There's
some low-hanging bug fruit there.

MZMcBride



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Nikola Smolenski]

On 22/01/13 01:44, Bawolff Bawolff wrote:

Given that there are algorithms that can solve our captcha presumably they
are mostly preventing the lazy and those that don't have enough knowledge
to use those algorithims. I would guess that text on an image without any
blurring or manipulation would be just as hard for those sorts of people to
break. (Obviously that's a rather large guess). As a compromise maybe we
should have straight text in image captchas.


A simple thing that could be done is to introduce localized captchas on 
non-Latin wikis (just remember that not everyone has the appropriate 
keyboard). This would mean that new captcha-cracking algorithms would 
need to be developed for each script, and if the wikis are small, 
spammers would not bother.


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[David Gerard]

On 22 January 2013 04:28, Matthew Flaschen  wrote:
> On 01/21/2013 03:00 AM, David Gerard wrote:

>> Yes, but to count as successful it would have to block approximately
>> all, I'd think.

> That's dubious.  Blocking all spambots is not the goal of any CAPTCHA.
> The goal is to significantly decrease spam, and thus to save human
> spam-fighters time.


Per the previous comments in this post, anything over 1% precision
should be regarded as failure, and our Fancy Captcha was at 25% a year
ago. So yeah, approximately all, and our captcha is well known to
actually suck.


- s.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Matthew Flaschen]

On 01/21/2013 03:00 AM, David Gerard wrote:
> On 21 January 2013 07:56, Andre Klapper  wrote:
> 
>> "at all" implies that some spambots are blocked at least?
> 
> 
> Yes, but to count as successful it would have to block approximately
> all, I'd think.

That's dubious.  Blocking all spambots is not the goal of any CAPTCHA.
The goal is to significantly decrease spam, and thus to save human
spam-fighters time.

Matt Flaschen

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Bawolff Bawolff]

Given that there are algorithms that can solve our captcha presumably they
are mostly preventing the lazy and those that don't have enough knowledge
to use those algorithims. I would guess that text on an image without any
blurring or manipulation would be just as hard for those sorts of people to
break. (Obviously that's a rather large guess). As a compromise maybe we
should have straight text in image captchas.

-bawolff
On 2013-01-21 7:40 PM, "Anthony"  wrote:

> On Mon, Jan 21, 2013 at 3:00 AM, David Gerard  wrote:
> > I mean, you could redefine "something that doesn't block all spambots
> > but does hamper a significant proportion of humans" as "successful",
> > but it would be a redefinition.
>
> It's not a definition, it's a judgment.
>
> And whether or not it's a correct judgment depends on how many
> spambots are blocked, and how many productive individuals are
> "hampered", among other things.
>
> After all, reverting spam hampers people too.
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Anthony]

On Mon, Jan 21, 2013 at 3:00 AM, David Gerard  wrote:
> I mean, you could redefine "something that doesn't block all spambots
> but does hamper a significant proportion of humans" as "successful",
> but it would be a redefinition.

It's not a definition, it's a judgment.

And whether or not it's a correct judgment depends on how many
spambots are blocked, and how many productive individuals are
"hampered", among other things.

After all, reverting spam hampers people too.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Federico Leva (Nemo)]

And to be more explicit, quoting the paper in case someone really has 
doubts: «we deem a captcha scheme broken when the attacker is able to 
reach a precision of at least 1%». With our FancyCaptcha we are/were at 
25 % precision for attackers, so yes, it's officially broken, and it's 
been so since more than a year ago 
 
so surely spammers got better in the meanwhile.


Nemo

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[David Gerard]

On 21 January 2013 08:43, Bawolff Bawolff  wrote:

> Does 
> http://elie.im/publication/text-based-captcha-strengths-and-weaknessescount
> as evidence? (Copied and pasted from the mailing list archives)


404 :-) Correct link:
http://elie.im/publication/text-based-captcha-strengths-and-weaknesses


- d.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Bawolff Bawolff]

On 2013-01-21 3:56 AM, "Andre Klapper"  wrote:
>
> On Mon, 2013-01-21 at 07:48 +, David Gerard wrote:
> > On 21 January 2013 05:13, Victor Vasiliev  wrote:
> > > On 01/20/2013 04:22 PM, David Gerard wrote:
> >
> > >> The MediaWiki captcha is literally worse than useless: it doesn't
keep
> > >> spambots out, and it does keep some humans out.
> >
> > > I don't see how the spambot statement is true. Do you have evidence
for it?
> >
> >
> > That spambots get through at all.
>
> Evidence is not provided by simply repeating the statement. :)
>

Does http://elie.im/publication/text-based-captcha-strengths-and-weaknessescount
as evidence? (Copied and pasted from the mailing list archives)

Sure captchas do prevent some limitted attacks - it makes it more effort
then a 5 minute perl script. Most spammers are more sophisticated than that.

-bawolff
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Chris Grant]

Not sure about enwiki, but from my experience with hosting smaller wiki's
CAPTCHA's are pretty useless (reCAPTCHA, FancyCAPTCHA, some custom ones).

The spambots keep on flooding through.

I've found its much more effective to just use the AbuseFilter.

-- Chris
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[David Gerard]

On 21 January 2013 07:56, Andre Klapper  wrote:

> "at all" implies that some spambots are blocked at least?


Yes, but to count as successful it would have to block approximately
all, I'd think.

I mean, you could redefine "something that doesn't block all spambots
but does hamper a significant proportion of humans" as "successful",
but it would be a redefinition.


- d.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Andre Klapper]

On Mon, 2013-01-21 at 07:48 +, David Gerard wrote:
> On 21 January 2013 05:13, Victor Vasiliev  wrote:
> > On 01/20/2013 04:22 PM, David Gerard wrote:
> 
> >> The MediaWiki captcha is literally worse than useless: it doesn't keep
> >> spambots out, and it does keep some humans out.
> 
> > I don't see how the spambot statement is true. Do you have evidence for it?
> 
> 
> That spambots get through at all.

Evidence is not provided by simply repeating the statement. :)

"at all" implies that some spambots are blocked at least?

andre
-- 
Andre Klapper | Wikimedia Bugwrangler
http://blogs.gnome.org/aklapper/


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[David Gerard]

On 21 January 2013 05:13, Victor Vasiliev  wrote:
> On 01/20/2013 04:22 PM, David Gerard wrote:

>> The MediaWiki captcha is literally worse than useless: it doesn't keep
>> spambots out, and it does keep some humans out.

> I don't see how the spambot statement is true. Do you have evidence for it?


That spambots get through at all.


- d.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Victor Vasiliev]

On 01/20/2013 04:22 PM, David Gerard wrote:
> The MediaWiki captcha is literally worse than useless: it doesn't keep
> spambots out, and it does keep some humans out.
>

I don't see how the spambot statement is true. Do you have evidence for it?

Also, it's one of the nicer CAPTCHAS around here, it's certainly more
readable than reCAPTCHA.

-- Victor.


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Thomas Bleher]

* David Gerard  [2013-01-20 22:23]:
> The MediaWiki captcha is literally worse than useless: it doesn't keep
> spambots out, and it does keep some humans out.

I can't speak for WMF sites, but on my small wiki, it *does* keep some
spambots out. Not all of them, but it is still quite useful to have
captchas there.

Regards,
Thomas


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Steven Walling]

On Sun, Jan 20, 2013 at 6:46 PM, Bawolff Bawolff  wrote:

> > This question is something we've also been asking ourselves on the E3
> team,
> > as part of our work on account creation. I think we all agree that
> CAPTCHAs
> > are at best a necessary evil. They are a compromise we make in our user
> > experience, in order to combat automated attacks.
>
> That's kind of missing the point of the original poster. The point being
> that they are an *un*nessary evil and do not prevent automated attacks
> whatsoever.
>
> [Snip]
>

We actually don't know that, and "whatsoever" is probably a gross
exaggeration.



> > To get more numbers on how much taking away the CAPTCHA might gain us in
> > terms of human registrations, we have considered a two hour test (to
> start
> > with) of removing the CAPTCHA from the registration page:
> > https://meta.wikimedia.org/wiki/Research:Account_creation_UX/CAPTCHAThat
> > kind of test would probably not be an accurate measurement of what kind
> of
> > spam would be unleashed if we permanently removed it, but the hourly
> volume
> > of registrations on enwiki is enough to tell us the human impact.
>
> That would be interesting. Remember that captchas arent just on the user
> reg page though.
>
> -bawolff
>

Yeah I would prefer we only test removal on the registration page.


>  ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Bawolff Bawolff]

> This question is something we've also been asking ourselves on the E3
team,
> as part of our work on account creation. I think we all agree that
CAPTCHAs
> are at best a necessary evil. They are a compromise we make in our user
> experience, in order to combat automated attacks.

That's kind of missing the point of the original poster. The point being
that they are an *un*nessary evil and do not prevent automated attacks
whatsoever.

[Snip]
> To get more numbers on how much taking away the CAPTCHA might gain us in
> terms of human registrations, we have considered a two hour test (to start
> with) of removing the CAPTCHA from the registration page:
> https://meta.wikimedia.org/wiki/Research:Account_creation_UX/CAPTCHA That
> kind of test would probably not be an accurate measurement of what kind of
> spam would be unleashed if we permanently removed it, but the hourly
volume
> of registrations on enwiki is enough to tell us the human impact.

That would be interesting. Remember that captchas arent just on the user
reg page though.

-bawolff
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[Steven Walling]

On Sun, Jan 20, 2013 at 1:22 PM, David Gerard  wrote:

> The MediaWiki captcha is literally worse than useless: it doesn't keep
> spambots out, and it does keep some humans out.
>
> (I was just reminded of this by a friend I lured into joining
> Wikivoyage - who can see and is highly literate, but found the captcha
> really troublesome.)
>
> Why are we still using this?
>
>
> - d.
>

Hi David,

This question is something we've also been asking ourselves on the E3 team,
as part of our work on account creation. I think we all agree that CAPTCHAs
are at best a necessary evil. They are a compromise we make in our user
experience, in order to combat automated attacks.

If anyone is interested in seeing how CAPTCHAs impact users first hand, you
should definitely watch the remote user tests we did at
https://www.mediawiki.org/wiki/Account_creation_user_experience/User_testingor
at least scan the notes. Those highlighted for us that, even in the
much
nicer looking new version we built, the CAPTCHA is a pain in the ass.

To get more numbers on how much taking away the CAPTCHA might gain us in
terms of human registrations, we have considered a two hour test (to start
with) of removing the CAPTCHA from the registration page:
https://meta.wikimedia.org/wiki/Research:Account_creation_UX/CAPTCHA That
kind of test would probably not be an accurate measurement of what kind of
spam would be unleashed if we permanently removed it, but the hourly volume
of registrations on enwiki is enough to tell us the human impact.

There are other, easier things we can do to make this issue far less worse,
if we can't remove it entirely without lots of rigorous testing...

One thing we recently did was simply regenerate the images with font
rendering that is easier to read for people; our system for generating
CAPTCHAs is arcane to my eyes, but Aaron Schulz was able to accomplish that
without much headache.

The other thing in the works is adding a refresh button to the CAPTCHAs,
which if done correctly could make a huge difference IMO:
https://gerrit.wikimedia.org/r/#/c/44376/ That patch still needs UI
improvements and testing, but any help would be most welcome.

Steven
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Why are we still using captchas on WMF sites?

[David Gerard]

On 20 January 2013 21:22, David Gerard  wrote:

> The MediaWiki captcha is literally worse than useless: it doesn't keep
> spambots out, and it does keep some humans out.


Not to mention this, which delighted Tom Morris at an editathon he was running:

https://commons.wikimedia.org/wiki/File:CAPTCHA_headshits.jpg


- d.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Why are we still using captchas on WMF sites?

[David Gerard]

The MediaWiki captcha is literally worse than useless: it doesn't keep
spambots out, and it does keep some humans out.

(I was just reminded of this by a friend I lured into joining
Wikivoyage - who can see and is highly literate, but found the captcha
really troublesome.)

Why are we still using this?


- d.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l