Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

George Herbert george.herbert at gmail.com
Thu Jan 24 18:52:53 UTC 2013


On Thu, Jan 24, 2013 at 5:48 AM, Rich Kulawiec <rsk at gsp.org> wrote:
> On Wed, Jan 23, 2013 at 01:20:07PM +0100,  . wrote:
>> CAPTCHAS are a "defense in depth" that reduce the number of spam
>> incidents to a number manageable by humans.
>
> No, they do not.  If you had actually bothered to read the links that
> I provided, or simply to pay attention over the last several years,
> you would know that captchas are not any kind of defense at all.
>
> They're like holding up tissue paper in front of a tank: worthless.
>
> (Yes, yes, I'm well aware that many people will claim that *their* captchas
> work.  They're wrong, of course: their captchas are just as worthless
> as everyone else's.  They simply haven't been competently attacked yet.
> And relying on either the ineptness or the laziness of attackers is
> a very poor security strategy.)
>
> ---rsk

It's true that relying on the laziness of attackers is statistically
useful, but as soon as one becomes an interesting enough target that
the professionals aim, then professional grade tools (which walz
through captchas more effectively than normal users can, by far) make
them useless.

I disagree that they're entirely ineffective.  The famous Wiley
cartoon (found also in the frontspiece of the original Firewalls
book...) "You have to be this tall to storm the castle" does apply.
But knowing the relative height and availability of storm-the-captcha
tools is important.  They are out there, pros use them all the time,
they are entirely effective.


-- 
-george william herbert
george.herbert at gmail.com



More information about the NANOG mailing list