Beats me
I'm sure they get a better success rate on captchas than me
Google's and Facebook's CAPTCHA services have been defeated in research that successfully designed an automated system to solve the "are-you-human?" verification challenges. CAPTCHAS are designed to make life easier for trusted users and painful for bots, by presenting challenges that are difficult for software to crack. …
I'm not an expert, but (as I understand it), NAT (particularly for mobile connections) places numerous devices on a single public (routeable) address. So insisting that each user have a different IP address would block many legitimate users.
> I'm not an expert, but (as I understand it), NAT (particularly for mobile connections) places numerous devices on a single public (routeable) address. So insisting that each user have a different IP address would block many legitimate users.
And the problem is...?
Another anti-bot technique is to impose rate limits. Limiting Facebook, Twitter, Instagram etc users to, say, one post per month should solve any bot problem.
"They were also able to spin up a virtual host that assumed the necessary identifying criteria of a legitimate user and could then generate clean cookies to solve CAPTCHAs out of the normal bounds."
I'm trying to make sense of this sentence, and I'm a human being (I think).
I don't get why this is more than academically interesting.
Spammers are willing to spend money on humans to solve trivial problems. CAPTCHAs should only be one element in a broader set of protections.
As an example, Yahoo financial message boards. No regular user registers, then immediately proceeds to post 100 messages to 100 different boards separated by only a few seconds. A CAPTCHA per posting won't block this spam. Analyzing behavior will quickly shut it down.
Exponential rate limiting. Start over at a random time of the day. If the user input is supposed to be typed, measure the time it takes for a reasonable typist to enter the comment (or whatever). Go from there. Display a clock if you must allow for cutting and pasting, but double up on the time out period.
Yes, they are a pain. I doubt that the google people can solve all of them accurately.