April 4, 2008
In January of last year, Ned Batchelder flushed out an idea of Damien Katz’ and Jan Lenhardt’s– negative CAPTCHA. CAPTCHA® – as you know – stands for Completely Automated Public Turing test to tell Computers and Humans Apart, and it’s purpose is to lock out automated systems, particularly bots designed to abuse HTML forms for submitting comment spam to blogs, internet fora, and other sites that would prefer only flesh and blood wingnuts be allowed to spam them.
There are two problems you might see with that. First, you may block out those using text-based browsers, either for accessibility or because they’re just weird. A serious corollary of this is that you will significantly degrade the level of discussion at your site by excluding the most intelligent of humanoids, the vanguard who browse the web under cover of NoScript.
The way around the first set of problems is to take the human path: label the form “only fill this out if you are a stupid bot.” Those who fill it out deserve to be blocked because they probably wrote some snide comment in it. Or they’re a bot.
Ned’s piece proposes dealing with the latter problem with a certain amount of server side randomization, and backing it up – as we do CAPTCHA – with content analysis. And trained monkey moderators.
Of course nothing is impenetrable for the bad guys or infallible in serving the good guys, but it seems to me that, all things being equal, this is more accessible and less obtrusive for human users. At least until the bots and their lobbyists push through Section 508 Subpart (R) mandating equal access for the blood-flow and organic process impaired.
(Revivified and brought to my attention by Heiko Webers’ RoR Security Project.)