Ask HN:Can bots still go through a captcha registration system?

1 points by cannibalXxx ↗ HN

11 comments

[ 2.9 ms ] story [ 28.2 ms ] thread
Yes. I knew someone who published a PHP-based neural network on their site around 2010 or so that could read CAPTCHAs who got his site hacked because it was a little over the line.

The main technique used by Re:CAPTCHA is web tracking; the best sign that somebody is not a bot is to find a set of tracking cookies that can be linked up to a long history of ads served even if never clicked on.

that's too bad because I've been getting a lot of bot registrations on my site
They are passing email or SMS checks?
I don't have email or sms checks, just a captcher to check for bot activity
If you don't verify emails (or SMS, or use something like Facebook Connect, or make people prove they have a credit card, or...) you will get totally screwed with bot accounts. That was true in '99 and it is still true.

To take an example of why CAPTCHAs don't really work, circa 2009 there was a site a lot like HN that didn't have email checks and I made about 1000 fake users for it that had halfway decent profiles generated for them (got pictures out of a big pile of cartoon characters, real people, abstract things, etc. -- nobody seemed to care that I made no effort to make the gender of the profile pic match the name)

With those accounts I had as much control over that site as I wanted. Certainly I could write a mediocre blog post and people would wonder why it got so many upvotes but they never got past leaving comments wondering about this. I did it all with Tor so I never ran out of IP addresses (pro tip: look at Tor exit nodes as nests of problem users) I don't think the operators of the site cared, my bots voted for random articles so they weren't obviously part of a voting ring, my bots were polite and never made trouble.

Note I could have solved 1000 CAPTCHAs myself in 10 hours or paid somebody else to do it; it just wouldn't have stopped me from making enough fake accounts to make a voting ring that would take heavy use of statistics to catch. I could have easily added something to my mail server so I could make multiple users on the same email domain, but if my whole voting ring came from the same or a small set of domains it would have been easy to catch.

(Granted hackers and spammers really do create gmail accounts by the 1000 but they are dealing with Google's black ice)

my question is: how does HN defend itself against bots and it doesn't have any protection system either, from what I see here, I don't know if I'm right.
A captcha can help in some scenarios, but they can be easily bypassed most of the time if anyone really wanted to.
and what would be your best solution?
If you're struggling with bot activity, there's lots of different solutions all with varying levels of reliability, you could go for extreme solutions like text message verification, or email, or you could opt for ReCAPTCHA, which seems to be the hardest to automatically complete, though it's still possible, but the pricing for recaptcha completion is the most expensive lol. You could opt for creative solutions, like something I see Linux wikis do for verification is "what is the output of <bash command that is likely somewhat computationally expensive even if nominally>", but most captchas are easy for bots to do, but hard for humans to do, or so annoying that nobody is going to bother.
so I see that this problem isn't just for small sites, I now believe that even large sites also have this as a problem to solve