←back to thread

405 points blindgeek | 1 comments | | HN request time: 0.207s | source
Show context
jchw ◴[] No.42173090[source]
I hope we can end the CAPTCHA experiment soon. It didn't work.

Phone verification isn't good either, but for as much as I hate phone verification at least it actually raises the cost of spamming somewhat. CAPTCHA does not. Almost all turnkey CAPTCHA services can be solved for pennies.

Solving the problems of SPAM and malicious traffic will be challenging... I am worried it will come down to three possible things:

- Anonymity of users: validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.

- Closing the platform: approaches like Web Environment Integrity and Private Access Tokens pave the way for how the web platform could be closed down. The vast majority of web users use Google Chrome or Safari on a device with Secure Boot, so the entire boot chain can be attested. The number of users that can viably do this will only increase over time. In this future, the web ceases to meaningfully be open: alternatives to this approach will continue to become less and less useful (e.g. machine learning may not achieve AGI but it's going to kick the ass of every CAPTCHA in sight) so it will become increasingly unlikely you'll be able to get into websites without it.

- Accountability of network operators: Love it or hate it, the Internet benefits a lot from gray-area operators that operate with little oversight or transparency. However, another approach to getting rid of malicious traffic is to push more accountability to network operators, severing non-compliant providers off of the Internet. This would probably also suck, and would incentivize abusing this power.

It's tricky, though. What else can you do? You can try to reduce the incentives to have malicious traffic, but it's hard to do this without decreasing the value that things offer. You can make malicious traffic harder by obfuscation, but it's hard to stop motivated parties.

Either way, it feels like the era of the open web is basically over. The open web may continue to exist, but it will probably be overshadowed by a new and much more closed off web.

replies(15): >>42173427 #>>42173571 #>>42173573 #>>42173636 #>>42173652 #>>42173854 #>>42174051 #>>42174079 #>>42174452 #>>42174502 #>>42174730 #>>42174882 #>>42175601 #>>42175632 #>>42175764 #
mapt ◴[] No.42173652[source]
There is another option.

CAPTCHA is useful only when it is costly to solve. It is a costly signal that this is a real person, or at least is more than 1/10^9th of a real person (you're not running a fully automated spam system).

The postal service also has costs - everybody that wants to move something through the postal service needs to buy a stamp. Transport fees are a 'natural' way to moderate traffic and deter spam.

Various combinations of network architecture and cryptocoinage permit you to invoke transport fees per attempted transmission/login. Sensible ones, if every spam email or login guess costs even 1 penny it becomes prohibitive for most fully automated spam applications. The cryptocoin aspect is specifically about preserving anonymity of private wallet access while permitting the cash-like transactions that stamps enable.

replies(6): >>42173730 #>>42173910 #>>42173934 #>>42174028 #>>42174563 #>>42188474 #
Retr0id ◴[] No.42173934[source]
Although solving a captcha can be translated into a monetary cost (often the cost of labour for a human in a clickfarm to solve it for you), the nice thing is that it's still "free" to solve normally.

If you switch to direct payments that are still affordable for routine use by your poorest users, then your rich adversaries can afford to generate orders of magnitude more spam (until we solve unequal wealth distribution globally).

Also, the cost of using a postal service nominally covers its operating costs. The cost of actually transferring a spammy HTTP request over the internet is negligible, but the costs imposed on its receiver are less so (i.e. the cost of responding to it (cpu/ram/disk/bandwidth), second-order costs of lowering the quality of the service for everyone else, etc.).

replies(1): >>42175170 #
Y_Y ◴[] No.42175170[source]
> until we solve unequal wealth distribution globally

Is this a joke?

replies(1): >>42175732 #
Retr0id ◴[] No.42175732[source]
Why would it be a joke?
replies(1): >>42178316 #
Y_Y ◴[] No.42178316[source]
Even assuming that uneven distribution is a problem, and that it was possible to make global wealth evenly distributed, it would be such a collosal undertaking that it would necessarily entail massive social upheaval and take a very long time after which the captcha problem would hardly be comparable to what we have now.
replies(1): >>42179074 #
Retr0id ◴[] No.42179074[source]
None of that is at all relevant to the point I was making. Whether you think extreme wealth inequality is good or bad, for as long as it exists, it makes paying fixed fees a poor alternative to captchas.
replies(2): >>42181003 #>>42181721 #
1. Y_Y ◴[] No.42181721[source]
Until we solve the "water is wet" problem domain squatting will continue to be an issue.

Without a definitive resolution to the continuum hypothesis there will be no efficient distributed consensus algorithm.

As long as humanity bears the mark of Original Sin, it will be hard to run a business selling GPL software.