CAPTCHA problem from a philosophical point of view
Some thoughts about the prospects for captcha-solutions, like this .
Purely from a philosophical point of view, the prospects of captcha and other means based on the recognition of the subject that performs the protected action, and thus separating the “right” subjects from the “wrong” ones is very vague. This race sooner or later will lead to the fact that it will skip "smart" people and "smart" programs, but weed out some of the people along with not very "smart" programs, like Rapid cats. Even today, the “test for humanity” does not solve the problem of hired discriminators. Therefore, other solutions are needed.
To develop a tool that allows you to minimize negative informational activity (spam, flood, etc.), you must first select the characteristic properties of such activity (and not its direct performers). All the captcha and similar “tests for humanity” are trying to determine “ who is knocking on the door to me” - and if this someone is “racially clean”, he is authorized, if not, he is sent to the gas vans. The result is a system that:
1) contributes to the discrimination of people with disabilities (such as the blind) - because not all owners who implement a visual captcha want to bother with sound;
2) deprives bona fide users of potential additional amenities (automated access, in the framework of the fair use);
3) does not fulfill its main function - does not protect against negative informational activity.
')
For the division of the world into "good" subjects, who always perform good actions, and "bad" ones, who always perform bad ones, to put it mildly, not too correspond to reality. Accordingly, the solutions in the style of "kill all the bad" simply do not work . Moreover, the attacker, in the end, is always a man, not a bot.
The real approach to protecting against spam and flood can only be to filter the actions themselves based on those features that distinguish malicious actions from conscientious, regardless of which subject is their direct executor - a bona fide user agent or a mercenary working for a spammer. You can track both purely technical features (excessive frequency or volume of messages, an attempt to send many identical or statistically similar messages, etc.) and the reaction that such messages cause to participants (karma). Simultaneously with subjective identifiers (nicknames), objective (IP) should be evaluated and blocked if necessary, again strictly or by mask (onotoley *). Effective will be the means to quickly identify the distinctive characteristics of malicious information activity and quickly eliminate its consequences by banning or deleting, for example, using an SQL-like language and regular expressions.
The resource policy regarding such actions (what is possible and what is not) should be open, including for software agents. If an agent tries to perform an action incompatible with a resource's policy, the resource must return a standard negative response hidden in a microformat somewhere inside the HTML. If the moderator reveals that the stated policy is not enough and the attacker has bypassed it - the policy will be refined and updated. As you run in, the efficiency of the service will increase, and the policy will evolve in the direction of maximum convenience for the owner of the service and for its users.
And forcing users to perform along with the targeted action is also untargeted - it is a waste of resources (time, attention), and totalitarianism, and when some users cannot physically perform the imposed action, it is also blatant discrimination. Therefore, I was, is and will be an opponent of "solving" the problem of spam with the help of captcha. The only plus of the captcha is that they stimulate developments in the field of AI, the side effect of which can be very valuable tools (as a side effect of the space arms race have become communication satellites). Therefore, in the near future, this race will continue, but ultimately will give way to open policy.
Purely from a philosophical point of view, the prospects of captcha and other means based on the recognition of the subject that performs the protected action, and thus separating the “right” subjects from the “wrong” ones is very vague. This race sooner or later will lead to the fact that it will skip "smart" people and "smart" programs, but weed out some of the people along with not very "smart" programs, like Rapid cats. Even today, the “test for humanity” does not solve the problem of hired discriminators. Therefore, other solutions are needed.
To develop a tool that allows you to minimize negative informational activity (spam, flood, etc.), you must first select the characteristic properties of such activity (and not its direct performers). All the captcha and similar “tests for humanity” are trying to determine “ who is knocking on the door to me” - and if this someone is “racially clean”, he is authorized, if not, he is sent to the gas vans. The result is a system that:
1) contributes to the discrimination of people with disabilities (such as the blind) - because not all owners who implement a visual captcha want to bother with sound;
2) deprives bona fide users of potential additional amenities (automated access, in the framework of the fair use);
3) does not fulfill its main function - does not protect against negative informational activity.
')
For the division of the world into "good" subjects, who always perform good actions, and "bad" ones, who always perform bad ones, to put it mildly, not too correspond to reality. Accordingly, the solutions in the style of "kill all the bad" simply do not work . Moreover, the attacker, in the end, is always a man, not a bot.
The real approach to protecting against spam and flood can only be to filter the actions themselves based on those features that distinguish malicious actions from conscientious, regardless of which subject is their direct executor - a bona fide user agent or a mercenary working for a spammer. You can track both purely technical features (excessive frequency or volume of messages, an attempt to send many identical or statistically similar messages, etc.) and the reaction that such messages cause to participants (karma). Simultaneously with subjective identifiers (nicknames), objective (IP) should be evaluated and blocked if necessary, again strictly or by mask (onotoley *). Effective will be the means to quickly identify the distinctive characteristics of malicious information activity and quickly eliminate its consequences by banning or deleting, for example, using an SQL-like language and regular expressions.
The resource policy regarding such actions (what is possible and what is not) should be open, including for software agents. If an agent tries to perform an action incompatible with a resource's policy, the resource must return a standard negative response hidden in a microformat somewhere inside the HTML. If the moderator reveals that the stated policy is not enough and the attacker has bypassed it - the policy will be refined and updated. As you run in, the efficiency of the service will increase, and the policy will evolve in the direction of maximum convenience for the owner of the service and for its users.
And forcing users to perform along with the targeted action is also untargeted - it is a waste of resources (time, attention), and totalitarianism, and when some users cannot physically perform the imposed action, it is also blatant discrimination. Therefore, I was, is and will be an opponent of "solving" the problem of spam with the help of captcha. The only plus of the captcha is that they stimulate developments in the field of AI, the side effect of which can be very valuable tools (as a side effect of the space arms race have become communication satellites). Therefore, in the near future, this race will continue, but ultimately will give way to open policy.
Source: https://habr.com/ru/post/27770/
All Articles