Shostack + Friends Blog Archive



Captchas are those annoying, spamatuer “type this so we can stop spam” things that you see on some blogs.

PWNtcha stands for “Pretend We’re Not a Turing Computer but a Human Antagonist”, as well as PWN capTCHAs. This project’s goal is to demonstrate the inefficiency of many captcha implementations.

For an overview on why visual captchas are a bad idea, see Matt May’s excellent presentation, Escape from CAPTCHA, as well as the W3C’s Inaccessibility of Visually-Oriented Anti-Robot Tests working draft.

See PWNtcha – captcha decoder. I look forward to the day when someone builds this into my broswer. (Via Justin Mason’s feed.)

3 comments on "Released!"

  • DM says:

    There was an article awhile back (I can’t find it now) about how spammers were stealing captcha’s from legitimate websites and using them for registration for “free” porn sites and letting unsuspecting users decode them….

  • Chris Walsh says:

    Visual anything is a bad idea if one has a visually-impaired audience, of course.
    You say they’re spamaeurish, but what superior alternative is there for the typical case of a blog with a small number of commenters/comments which gets overrun with comment spam from time to time?
    but you probably saw it on BoingBoing:

  • Is there any evidence that this captcha-for-porn is or will be widely implemented? What if every (say) blog had them?
    Moreover, if the system is generally working well, why not turn the attack a feature: a service for the visually-impaired that shunts the captcha test to a volunteer or paid service? Such systems would be embedded in realistic contexts, so it would be hard to spam them without the system detecting such efforts.
    Moving towards better efforts is nice, both for security and accessibility, but this particular issue could probably be solved with a $150k ADA grant…

Comments are closed.