On 29 Aug 2008, at 16:33, tedd wrote:
At 3:41 PM +0100 8/29/08, Stut wrote:
The main project I work on at the moment is a classified ad site
and it has CAPTCHA's in three places.
-snip-
I understand there are different reasons behind the use of
CAPTCHA's, but in the end they still present accessibility problems.
And their use is a trade-off that you accept.
In essence you are saying I understand the problems and this is my
best solution. You are cutting out a segment of the population due
to the fact that you cannot create a better solution.
Don't get me wrong -- I fully understand the problems involved and
there may not be a better solution. But to employ CAPTCHA's, means
that there isn't.
That's putting words in other people's mouths. Use of CAPTCHA's isn't
the same as stating the Earth is flat and refusing to entertain
alternative theories. CAPTCHA's are a first line of defence and as
such I'll use them until I ro someone else comes up with something
better. I don't see that as defeat, but in the real world I can't say
"I don't have a 100% effective defence so I'm not going to use the 70%
defence I do have". Seem to me to be a very odd position to take.
So I agree that CAPTCHA's do not and cannot solve the problem of
unwanted form submissions, but they're a damn good start.
I agree with most of that, but I think the "they're a damn good
start" is really "this works and that's that."
It's like the saying "Why are the things I'm looking for always in
the last place I find them?" They are because once you find them,
you stop looking. Likewise, the CAPTCHA is a good place to stop.
Who ever said we've stopped? Again, it's one tool in a toolbox, but
certainly not one that should be ignored.
Whatever we do, the simple fact that we want users to be able to do
something means that anyone can do it whether they have good
intentions or bad, but we can put up as many obstacles to
automation as normal users can live with. CAPTCHA's are only a
defence against automation, not bad people and that's a very
important thing to understand.
That's a very good point. I often think that people who employ these
tactics (spam automation) actually know what they are doing when in
fact they may not. They may be ignorant of the harm they cause.
I highly doubt that. There may be a few who use off-the-shelf scripts
without really knowing what they're doing, but I would bet the
majority fully understand what they're doing and most of them don't
care. I *know* some of them thing they're "adding value".
The reason I asked the question is that your comments on that page
imply that only lazy developers use them when this is far from the
truth. They are a valuable tool and until something better comes
along I'm gonna use them as part of my sites defences, unless
you're volunteering to moderate >7k messages for me for free?
Didn't think so ;)
I didn't mean to imply laziness, but now that you mentioned it -- on
one hand we say that CAPTCHA is good enough until something else
comes along, but on the other hand, because we are using CAPTCHA,
there's no need to develop something else.
I think this is very naive and coming from you tedd it surprises me.
Very few developers have time to put everything on hold because the
tools they have are not 100% effective - I certainly don't. I really
wish I did, but this is the real world where the almighty pound is
king. I'd love to see the faces at the next board meeting when I say
"no progress this month because we've been trying to come up with
something better than CAPTCHA's".
The community as a whole is trying to come up with something better
but these things take time, money and a good dose of unpredictable
inspiration. Something better will arrive, until then I'm using the
tools I have to do the best job I can.
I realize that this problem is difficult and may be one of those
thing that can't be solved with current technology -- I may be Don
Quixote looking at windmills differently than others.
Most of the problems CAPTCHA's are intended to protect against are
social rather than technological. This is also important to
understand. As I mentioned earlier, if you want your normal users to
be able to do something, the evil ones will also be able to do it.
The best defence against dodgy inputs I've seen so far has been having
a good community on the site who pro-actively look for and take action
against it. Best example I can think of this late in the day is
Wikipedia.
-Stut
--
http://stut.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
