Type of hat with a 'tcha'

Hey all, hope you’ve been well. I’ll be talking this time around about something rather pointless (and a little spooky) that I’ve had to work on. Sounds silly? Yes, well, the internet is a silly place.

I’m talking, of course about catpcha. If you’re unaware of what that is: bless your charmed life. But basically it’s the name of an implementation of a challenge-response system whereby a user has to type in text before being able to perform an action on a webpage.

THP has used an implementation of it on threads that haven’t been bumped in a while for some time now. Mostly to stop spambots from bumping them as they do their automated thing.

So then, why was working on such a system pointless? Why did I work on one in the first place if there was something already in place?

The first question is answered by the cold, harsh reality that these sorts of systems have always been an arms race of sorts. As technology improves, “AI” or programs are developed to defeat them. Then new methods are developed to counter that and the counter to the counter is born and so forth. It’s easier than ever for an average person to use software to defeat these challenges, making stuff like captcha more of an annoyance to normal users than any sort of dedicated spammer. It can reasonably summed up that it’s a highly flawed system with a lot of downsides.

With that said, there are advantages. Casual spam does tend to get caught. For a simple reason: most spam on small websites is generic and not targeted to circumvent specific filters. Not only will a random bot be befuddled by captcha but they might not even attempt to solve it, as the simplest of bots only look for certain fields to fill in and don’t even bother with enabling javascript.

So, just by having a simple asynchronous request that a normal browser won’t notice—fetching a captcha when something is clicked—is already a massive deterrent. And then, if that captcha happens to be non-standard or require some “training” of the bot to solve, then that immediately defeats another large percentage of abusers.

We’ve partially answered the second question then. The other part of the answer is that the implementation I had picked had become unmaintained. Not a huge deal in and of itself but there were enough annoyances that I wanted to tweak that meant I had to work on someone else’s code and figure things out. Given the effort required I figured that I should just make my own solution, designed to be more closely integrated with THP.

Frankly, it wasn’t too technically challenging. Required learning of a library and the use of a couple of reference implementations on the internet. Since I was already under the assumption that anything I built would be broken by a dedicated spammer, I mostly focused on casual deterrence and not pissing off normal users. Here are a few (amusing) examples of the end result:

I’m not going to detail every single thing I did but suffice it to say that there’s a high degree of variation in terms of positioning, look and letter/number substitution. That it’s touhou-themed is a nice touch, I feel, and it’s easy to tweak further if the need should arise in the future.

For the time being, these only really apply to threads that haven’t been bumped. I don’t really care to make the obligatory for every post, as that annoys normal users more than anyone bored enough to train a program to defeat my simple system. I’ve been thinking about some of the spam that we’ve gotten as of late and, if a certain trend holds, captcha may appear for “new” users or IP addresses, though I’m far from certain that it’s necessary.

Seeing this implementation as one piece of a larger security system is the right way to go, in my opinion. Other anti-spam features are already in place and I’ve been thinking as of late of any number of small things that could go a long way in preventing the worst spam incidents. There’s a tightrope to walk, however, so it’s not the sort of thing that I’m implementing on a whim.

The new replacement captcha is done but I don’t think will be rolled out until the next batch of changes to THP come around. There’s a lot that’s been done on that front and I hope to talk about that on some other opportunity. For now, I’ll offer a rough assessment that it may well be within the first ten days of November. Time and testing permitting, as always.

Oh, I did say that this was a little spooky, right? To me, the fact that most internet traffic is performed by automated programs is absolutely frightening. Same thing with all those personalized algorithms and data mining. Thankfully, this captcha respects your privacy and doesn’t require any external services or connections to function. It’s more of a cute oddity, kind of like a blonde girl with a red ribbon and a black dress, surrounded by darkness.

I hope you all have a nice Halloween and manage to avoid getting spirited away. Unless you feel like it, of course. Until next time, take it easy!