Warning: The author of this contribution does not provide support for it anymore.

KeyCAPTCHA

On impossibility to outsource KeyCAPTCHA to 3d party (human - KeyCAPTCHA

On impossibility to outsource KeyCAPTCHA to 3d party (human

by KeyCAPTCHA » Mon Apr 04, 2011 1:36 am

Copied the discussion from [Split] Using Advanced Block Mod to Prevent Spam thread to split it:
A_Jelly_Doughnut wrote:With all due respect, Gennady, KeyCaptcha's puzzles would be very easy to break if someone only tried. I have better things to do with my time, but I figure I could do it in a couple of days.

Puzzles type is just one of options chosen/switched by clients of KeyCAPTCHA. There is another type - "Pairings" (you can try live demo on keycaptcha.com website), available to users, as well as types not exposed at all (not yet used).
Start from "Pairings" type to be sure that you really crack all available to users KeyCAPTCHA options.

Also, except replacement of KeyCAPTCHA type or pool of captchas, some of the possible easy and fast countermeasures to KeyCAPTCHA cracking is to switch on IP-address restriction (that the same KeyCAPTCHA is being passed only from the same IP) and/or change of algorithm.

The latter says that nobody has created bots to handle your system yet (because the bot authors don't see it as worthwhile due to low market share). The former says that it will be cracked (if your system does get noticeable market share)

Also copy of my answer:
KeyCAPTCHA wrote:
DavidIQ wrote:Using KeyCAPTCHA will likely be ok for some time until the bot writers get smarter or take notice which happens all the time. All it takes is for the popularity of it to increase. They said reCAPTCHA couldn't be broken as well and look what happened to that. You should be very careful with what you attach "never" or "impossible" to.

I am quite careful.
KeyCAPTCHA has not EVER been passed by any spam bot
In case it has, it is specially designed so that its type (or simply pool) can be changed without already installed plugins reinstall. Easily, fast (centralized) and cheap.

The problem is only in relative time, cost and effort to develop spam bots (cracking specific KeyCAPTCHA) vs. change KeyCAPTCHA (which is replaceable without old plugins reinstall).

Note that it is not enough to develop a new (or update an old) spam bot that passes KeyCAPTCHA, it is also necessary to sell new bot (or updates to an old one) to spammers (spam operators/clients, whoever, interested humans). This cannot be epidemically fast, easy, economical or efficient in comparison to replacement of KeyCAPTCHA which is centralized, easy and cheap.
These replacements can aslo be done preemptively (preventively)

This completely reverts previous (and still current) situation when antispamming techniques are always retroactively lagging behind spamming advancements

Update:
My colleague just told me that replacement of KeyCAPTCHA is extreme measures.
There are much simpler immediate measures which annul any possible crack of KeyCAPTCHA
User avatar
KeyCAPTCHA
Registered User
Posts: 66
Joined: Sun Nov 14, 2010 8:32 am