Aug
28
Filed under: Asides | Tags: | August 28th, 2008

Captcha is Broken

Captcha is broken – now what? The Guardian. I was quoted in today’s Guardian, which consistently has some of the best tech coverage around.

24 Responses

  • Stephen R | August 28th, 2008 @ 12:57 pm | Reply

    I’ve been working on improvements to Andy Skelton’s Quiz plugin. Basically you make a custom question for each post, when you write it.

    I like the idea of this a lot because it means that not only do you have to have human comprehension, but you have to have actually read the post. Slows down (hugely) the “captcha farm” spammers, and thins down frivolous comments to boot. :)

  • Martin | August 28th, 2008 @ 1:54 pm | Reply

    I hate Captcha with a passion. I have five sites and none will ever use it. I use Akismet and comment moderation and that pretty much solves everything without and hassles for my users or me.

  • m@ | August 28th, 2008 @ 2:05 pm | Reply

    The problem lies in usability vs. vulnerability. You want to make it as easy as possible for users while making it as hard as possible for spam bots. Captchas were never easy for users, and apparently now they’re easy for bots. Group sourcing filtering isn’t necessarily the answer either as you have to worry about bots being in the group. Now what? That is indeed the question.

  • Titanas | August 28th, 2008 @ 3:11 pm | Reply

    It was about time for someone to call captcha a bane. Sometimes it takes me 2-3 reloads to figure out what the captcha is displaying just to register to a service..

  • lemming | August 28th, 2008 @ 9:36 pm | Reply

    Congrats, Matt.
    Btw. you have the best jolted domain i’ve ever seen so far.

  • Inge Janse | August 29th, 2008 @ 3:43 am | Reply

    “Just because something came from a real human being doesn’t mean it isn’t spam, which is why content-based solutions like Akismet are the only long-term solution to the spam problem.”

    Excellent quote. That pretty much dismisses all alternatives given in the article.

  • Neil | August 29th, 2008 @ 4:12 am | Reply

    Aww the guardian, for the intellectual man, good read!

  • nathan | August 29th, 2008 @ 5:42 am | Reply

    My first thought was, ‘not only is it broken, it’s also really annoying.’

    Very interesting it starts with a Matt quote and ends with a Matt quote.
    Obviously, someone has a good handle on how to fix captcha…

  • Lloyd Budd | August 29th, 2008 @ 8:20 am | Reply

    That article is disappointing in it doesn’t even mention reCAPTCHA. Maybe, they decided that reCAPTCHA got enough play in the news mid-month.

    I can’t stand craptcha, but if someone really, really, really feels they must use it, reCAPTCHA seems like the way to go. You are both helping a great cause and there are accessibility options.

  • Khürt Williams | August 29th, 2008 @ 9:00 am | Reply

    I hate captcha! Hate! Hate!

  • lambic | August 29th, 2008 @ 11:26 am | Reply

    I wrote about the horribleness of Captchas back in 2006 (http://www.lambic.co.uk/blog/archives/2006/12/captchas-who-needs-them/), why didn’t they quote me?! Oh right, I didn’t create the internet’s most popular blogging engine, sorry, forgot that part ;)

  • Jacques Marneweck | August 30th, 2008 @ 9:59 am | Reply

    Something I found quite amusing on the subject of captcha’s today – there is a booming industry in India of guys employed to reply to captchas (http://blogs.zdnet.com/security/?p=1835)

  • ::Wendy:: | August 30th, 2008 @ 2:43 pm | Reply

    ‘are you mouse or man’ or girl?
    The guardian for the intellectual man (Niel’s comment) come on fellows – at least demonstrate in your language that you are aware that women can write spam bots, spam, and be intellectuals.

  • amolpatil2k | August 30th, 2008 @ 9:09 pm | Reply

    Comment spam is a serious problem. There are 4 defences Captcha (proactive), filters like Akismet (reactive), admin moderation (reactive) and reader flagging (reactive). The problem with Akismet is that it is not transparent. How do we know it doesn’t harbor a bias in the guise of secret algorithms.

  • Michael Hampton | August 30th, 2008 @ 10:28 pm | Reply

    Hm, that reporter should have talked to me.

  • Pushkar Arora | August 30th, 2008 @ 11:14 pm | Reply

    ‘ companies such as Microsoft are not abandoning the system. “We are updating our Captcha system to be both more readable for customers but more difficult to break through” ‘

    Why waste more time and technology on something that, eventually is going to fall again.
    Matt’s quote in the closing part in the article really defines what needs to be done ultimately for a spam free web.

  • Tim | August 31st, 2008 @ 8:37 am | Reply

    Just because something came from a real human being doesn’t mean it isn’t spam, which is why content-based solutions like Akismet are the only long-term solution to the spam problem.

    And unfortunately, it is also true that just because Akismet (or any content filter) says something is spam doesn’t mean it is spam. A valid message marked as spam by a filter isn’t a good user experience either.

    Sure, we can review comments marked as spam, but if I’m going to review 100% of the filtered comments for false-positives, why have a filter at all?

    I’m no fan of captchas either, but silently discarding a valid message that doesn’t pass a filter is an even poorer experience for that user and unacceptable to my application.

  • Chris Messina | August 31st, 2008 @ 10:59 pm | Reply

    Was also disheartening to discover how Mechanical Turk is being used for spamming purposes as well:

    http://www.readwriteweb.com/archives/amazons_mechanical_turk_used_for_fraud.php

  • An Tu | September 1st, 2008 @ 2:59 am | Reply

    I never like the captcha system, none of my site use it :D

  • Paul B. | September 1st, 2008 @ 2:52 pm | Reply

    Your final quote is dead on. The focus should not be on whether the viewer is human or not, but rather we should focus on the content/data, which is where the spam actually is.

  • Sniff | September 2nd, 2008 @ 3:50 am | Reply

    Maybe you’ll find interesting CAPTCHA I’ve wrote – tEABAG_3D, you can see it at http://ocr-research.org.ua

  • Jeffrey Morgan | September 3rd, 2008 @ 2:11 am | Reply

    Moderating comments is the only sure way to avoid automated spam. I moderate comments on my blog and part of the moderation process is investigating the URL provided by the poster. Content which at first seems OK is often revealed to be spam when I look at the poster’s web page.

Share your thoughts