自动收发短信验证码机器人

I’m sure you’ve seen them many times — those wild squiggles that need to be deciphered and typed into a text box before you can buy concert tickets online or access a comment form.

我相信您已经看过很多次了-需要解密并在文本框中输入这些狂野的曲折，然后才能在线购买演唱会门票或访问评论表。

CAPTCHAs are generally one or two words presented as graphics, overlaid with some kind of distortion, and they function as a test that relies on your human ability to recognize them. CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart." This is a misnomer, because a CAPTCHA isn’t a Turing test — but we’ll come back to that later!

验证码通常是一个或两个单词，以图形表示，上面覆盖着某种失真，它们的作用取决于您人类识别它们的能力。 CAPTCHA代表“完全自动化的公共Turing测试，以区分计算机和人类。” 这是用词不当，因为验证码不是 图灵测试 -但我们稍后会再讲！

The CAPTCHA innovation was pioneered by developers at Carnegie Mellon University. The idea behind it was to develop a means of distinguishing between people and web robots, so that web sites could offer their resources to individual humans without being exploited by robots.

CAPTCHA创新是由卡内基梅隆大学的开发人员开创的。 其背后的想法是开发一种区分人和网络机器人的方法，以便网站可以将资源提供给个人，而不会被机器人利用。

需要验证码(或其他) (The Need for CAPTCHA (or Something))

Site owners face a number of unique challenges in protecting their resources from automated harvesting. These include:

网站所有者在保护其资源免受自动收获方面面临着许多独特的挑战。 这些包括：

• Resources may be expensive to provide, and machines can consume far more data far more quickly than humans. Therefore, services that are machine-accessible may prove prohibitively expensive to maintain.提供资源的成本可能很高，并且机器消耗的数据要比人类快得多。 因此，机器可访问的服务维护成本可能过高。
• Allowing bots to post comments and user-generated content opens a floodgate for spammers, which inevitably results in massive volumes of spam — often to the point where a service becomes unuseable.允许僵尸程序发表评论和用户生成的内容为垃圾邮件发送者打开了闸门，这不可避免地导致大量垃圾邮件-经常导致服务无法使用。
• Data may be highly sensitive, such as personal medical or financial information, and needs to be sufficiently protected to prevent against attacks from data-mining robots.数据可能是高度敏感的，例如个人医疗或财务信息，并且需要得到充分保护以防止受到数据挖掘机器人的攻击。
• Interactions with a system may have fundamental implications for society as a whole; consider the issues that would arise in the case of electronic voting.与系统的交互可能会对整个社会产生根本的影响； 考虑在电子投票的情况下可能出现的问题。

验证码问题 (The Problem with CAPTCHA)

CAPTCHA systems create a significant accessibility barrier, since they require the user to be able to see and understand shapes that may be very distorted and difficult to read. A CAPTCHA is therefore difficult or impossible for people who are blind or partially sighted, or have a cognitive disability such as dyslexia, to translate into the plain text box.

CAPTCHA系统会造成严重的可访问性障碍，因为它们要求用户能够看到和理解可能会非常扭曲且难以阅读的形状。 因此，对于盲人或部分视力不佳或患有阅读障碍等认知障碍的人来说，CAPTCHA很难翻译成纯文本框。

And of course there can be no plain-text equivalent for such an image, because that alternative would be readable by machines and therefore undermine the original purpose.

当然，对于这种图像，不可能有与之等效的纯文本格式，因为这种替代方式将可由机器读取，从而破坏了原始目的。

Since users with these disabilities are unable to perform critical tasks, such as creating accounts or making purchases, the CAPTCHA system can clearly be seen to fail this group.

由于这些残障用户无法执行关键任务，例如创建帐户或进行购买，因此可以清楚地看到CAPTCHA系统使该组失败。

Such a system is also eminently crackable. A CAPTCHA can be understood by suitably sophisticated scanning and character recognition software, such as that employed by postal systems the world over to recognize handwritten zip or postal codes. Or images can be aggregated and fed to a human, who can manually process thousands of such images in a day to create a database of known images — which can then be easily identified.

这样的系统也是非常容易破解的。 可以通过适当复杂的扫描和字符识别软件来理解CAPTCHA，例如，全世界的邮政系统都使用该软件来识别手写的邮政编码。 或者，可以将图像聚合并提供给人类，人类可以每天手动处理成千上万个这样的图像，以创建已知图像的数据库，然后可以轻松地对其进行识别。

Recent high-profile cases of bots cracking the CAPTCHA system on Windows Live Hotmail and Gmail have highlighted the issue, as spammers created thousands of bogus accounts and flooded the systems with junk. Even more recently, security firm Websense Security Labs have reported that the Windows Live CAPTCHA can be cracked in as little as 60 seconds.

最近出现的备受瞩目的僵尸程序案例破坏了Windows Live Hotmail和Gmail上的CAPTCHA系统，因为垃圾邮件发送者创建了数千个虚假帐户，并用垃圾邮件充斥了系统。 安全公司Websense Security Labs最近甚至报告说，Windows Live CAPTCHA可以在短短60秒内破解。

One CAPTCHA-cracking project, called PWNtcha ("Pretend We’re Not a Turing Computer but a Human Antagonist"), reports success rates between 49% and 100% at cracking some of the most popular systems, including 99% for the system used by LiveJournal, and 88% for that employed by PayPal.

一个名为PWNtcha (“假装我们不是图灵计算机，而是人类对立主义者 ”)的验证码破解项目报告说，在破解某些最受欢迎的系统时，成功率在49％至100％之间，其中99％用于所使用的系统由LiveJournal提供，88％由PayPal使用。

Thus, the growth and proliferation of CAPTCHA systems should be taken less as evidence of their success than as evidence of the human propensity to be comforted by things that provide a false sense of security.

因此，CAPTCHA系统的增长和扩散不应被视为其成功的证据，而应被视为人类容易受到提供虚假安全感的事物所安慰的证据。

It’s ironic that CAPTCHA can be defeated by those who are sufficiently motivated, when they’re the very same people the test is designed to protect against. Just like DRM, CAPTCHA systems ultimately fail to protect against the original threat, while simultaneously inconveniencing ordinary users.

具有讽刺意味的是，如果有足够的积极性，并且测试所针对的人是完全相同的人，则可以击败CAPTCHA。 就像DRM一样，CAPTCHA系统最终无法防御原始威胁，同时给普通用户带来不便。

Heck, I find them difficult to read, and I have perfect 20/20 vision. When I signed up for my Facebook account I had to try five different images and two different browsers until I got my application through. Tedious in the extreme.

哎呀， 我发现它们很难阅读，而且我的视力达到了完美的20/20。 当我注册我的Facebook帐户时，我必须尝试5种不同的图像和2种不同的浏览器，直到我通过我的应用程序。 极端乏味。

Just try this example.

只要尝试这个例子。

What does that first word say? "One"? "Dime"? I have no idea. To take it even further, have a look at this illustration from Matt May‘s presentation Escape from CAPTCHA, and see how well you’d be able to deal with it!

那第一个字怎么说？ “之一”？ “十分钱”？ 我不知道。 为了更进一步，请看一下Matt May的演示文稿从CAPTCHA中的Escape中的插图，并了解您将如何处理它！

The problem could be seen more philosophically, as a question of "how does a machine recognize a human." So in that sense, a CAPTCHA is more like a reverse Turing test, since a Turing test is about computers fooling humans, rather than humans fooling computers. But a true Turing test is about machine intelligence, whereas all a CAPTCHA tests is perceptual comprehension (which a real human can fail as easily as a machine can pass); really, a CAPTCHA isn’t a Turing test at all.

这个问题可以从哲学的角度来看，例如“机器如何识别人”的问题。 因此，从这个意义上讲，验证码更像是反向图灵测试，因为图灵测试是关于计算机在欺骗人类，而不是人类在欺骗计算机。 但是真正的Turing测试是关于机器智能的，而所有的CAPTCHA测试都是感知性的(真正的人可能像机器通过一样容易失败)。 实际上，CAPTCHA根本不是图灵测试。

CAPTCHA的替代品 (Alternatives to CAPTCHA)

The purpose of CAPTCHA systems is to protect resources from bots while allowing access to humans, but they fail to do either of those things.

CAPTCHA系统的目的是在允许人类访问的同时，保护机器人免受资源侵害，但是它们却无法做到这两项。

On the other hand, anyone who’s used such a system on a high-traffic site knows that they do make a difference. Abandoning them increases the volume of unwanted traffic, sometimes to an unmanageable extent.

另一方面，在高流量站点上使用了这样的系统的任何人都知道他们确实有所作为。 放弃它们会增加不必要的流量，有时会达到无法控制的程度。

Clearly there’s a need for something. So what are the alternatives to CAPTCHA?

显然，需要一些东西 。 那么，验证码的替代方法是什么？

Non-linguistic Visual Tests

非语言视觉测验

Tests that use images other than words may be generally easier for users, since all they have to do is comprehend an undistorted picture, rather than decode distorted language. A prominent (and, I believe, pioneering) example of this is KittenAuth:

对于用户来说，使用除单词以外的图像的测试通常可能更容易，因为他们要做的只是理解一张没有失真的图片，而不是解码失真的语言。 KittenAuth就是一个突出的例子(我相信，也是开创性的)：

The system shows you a set of nine images, three of which are kittens. You have to identify the three kittens in order to pass authentication.

系统显示一组九幅图像，其中三幅是小猫。 您必须识别三只小猫才能通过身份验证。

Although the failure rate for regular humans may be lower, and their comprehension by people with cognitive disabilities may be better, they still let down users who are blind or partially sighted. They also require a basic level of knowledge — you have to know what a kitten looks like. It’s easy to take that much for granted, but it remains a highly cultural assumption; you might know, but can you be absolutely sure that all of your users do?

尽管普通人的失败率可能更低，认知障碍者的理解力可能更好，但他们仍然会让盲人或部分失明的用户失望。 他们还需要基本的知识水平-您必须知道小猫是什么样的。 认为这是理所当然的事情很容易，但这仍然是高度文化的假设。 您可能知道，但是您可以绝对确定所有用户都这样做吗？

This idea has also been taken to more frivolous places, such as a system based on the somewhat dubious "hot or not" tests, shown here.

这个想法也被带到了其他一些轻浮的地方，例如这里显示的基于有点可疑的“热或不热”测试的系统。

Some may find that version funny, others may find it offensive. Either way, it’s no use as a genuine authentication system. The answers are arbitrary, and in any case, they can be mined programmatically from the Hot-or-Not web site! Audio Tests

有些人可能会觉得该版本很有趣，其他人可能会觉得它令人反感。 无论哪种方式，它都没有作为真正的身份验证系统使用。 答案是任意的，并且在任何情况下，都可以通过“有或没有”网站以编程方式获取答案！ 音频测试

An alternative to a visual CAPTCHA test is an audio test, where a series of words or letters are spoken out loud and offered to users as an audio file; this audio is also overlaid with distortion of some kind, in the same attempt to prevent programmatic decoding.

可视化验证码测试的替代方法是音频测试，其中会大声说出一系列单词或字母，并以音频文件的形式提供给用户； 该音频也被某种失真覆盖，以防止编程解码的相同尝试。

However, such tests have exactly the same issues as visual CAPTCHAS. They solve the visual issue, sure, but they do so by introducing another, equally problematic barrier. People who are deaf and blind, who work in a noisy environment, lack the necessary hardware for sound output, or are unable to understand the sound due to a cognitive disability, or even a language barrier, are no better supported than with a conventional visual test.

但是，此类测试与视觉CAPTCHAS具有完全相同的问题。 当然，他们解决了视觉问题，但是通过引入另一个同样有问题的障碍来解决。 聋哑人，在嘈杂环境中工作，缺少必要的声音输出硬件，或者由于认知障碍甚至语言障碍而无法理解声音的人，都没有比传统视觉系统更好的支持。测试。

Also, audio tests are as equally vulnerable to being cracked by suitably motivated bot programmers as visual ones. Logical or Semantic Puzzles

而且，音频测试和视频工程师一样，容易受到动机适当的机器人程序员的破解。 逻辑或语义难题

Eric Meyer‘s Gatekeeper plugin for WordPress works by asking a simple question, framed in such a way as to make it extremely difficult for machines to understand while blatantly obvious to humans. Would you get this one?

埃里克·梅耶 ( Eric Meyer )的适用于WordPress的Gatekeeper插件的工作原理是，提出一个简单的问题，以使机器难以理解而又对人类显而易见的方式来构造框架。 你会得到这个吗？

Other questions might be "What color is an orange?" or "How many sides has a triangle?"

其他问题可能是“橙色是什么颜色？” 或“三角形有多少边？”

The Achilles heel of this system is its scope. It has a limited number of questions and answers and is therefore vulnerable to brute-force attack. That problem can be reduced — but not solved completely — using flood-control (preventing a single user from making multiple attempts within a certain timeframe) and by ensuring that the selection of questions is large and frequently changed.

该系统的致命弱点是它的范围。 它的问题和答案数量有限，因此容易受到蛮力攻击。 使用泛洪控制(防止单个用户在特定时间范围内进行多次尝试)并确保问题的选择范围大且经常更改，可以减少(但不能完全解决)该问题。

But the system is also underpinned by assumptions of knowledge. Ideally, the questions should be so simple that a child could answer them easily — as is certainly the case in this example. But for every question, we still have to assume that any human can answer it, which may not be true, especially when you factor cognitive disability or language barriers into the equation.

但是，该系统还以知识假设为基础。 理想情况下，问题应该如此简单，以使孩子可以轻松地回答这些问题-正如本示例中的情况一样。 但是对于每个问题，我们仍然必须假设任何人都可以回答，但这可能并非正确，尤其是当您将认知障碍或语言障碍纳入方程式时。

And as a system such as this proliferates, it may become increasingly difficult to think of good questions. We might end up resorting to jokes!

随着诸如此类的系统的激增，思考好问题可能变得越来越困难。 我们可能最终会开玩笑！

Unfortunately a system based on multiple choices like this would be very weak, because simple guesswork would produce a crack rate of 33%. Yet if we allowed freeform answers to a question like that, there’s far too much of an assumed-knowledge overhead — the user would have to recognize the joke, and then give an answer that the system can comprehend as correct.

不幸的是，基于这样的多种选择的系统将非常薄弱，因为简单的猜测会产生33％的破解率。 但是，如果我们允许对这样的问题进行自由形式的回答，那么假设的知识开销就会太高了-用户将不得不认出这个笑话，然后给出一个系统可以理解为正确的答案。

Individual Authentication

个人认证

For the highest level of security, individual authorization is always required. To log in to online banking, pay a credit-card bill, or vote, the system needs to know not just that you’re a human, but that you’re a specific human.

为了获得最高的安全性，始终需要个人授权。 要登录在线银行业务，支付信用卡账单或投票，系统不仅需要知道您是个人，还需要知道您是特定的人。

This kind of authentication could be harnessed to provide a lower level of certainty in more general applications, as authentication for a system where your specific identify is not required — only that you’re a person.

可以利用这种身份验证在更通用的应用程序中提供较低的确定性，例如，对于不需要您的特定身份(仅是您自己)的系统的身份验证。

The simplest approach here is to require users to register before being able to comment, post, or add content to a site. This certainly reduces the amount of casual spam that a system might get, but it does nothing to put off a determined spammer who’s prepared to take the time to create an account.

这里最简单的方法是要求用户注册后才能评论，发布或向网站添加内容。 这无疑减少了系统可能收到的临时垃圾邮件的数量，但是它并不会阻止准备花时间创建帐户的坚定垃圾邮件发送者。

It’s not difficult to find large numbers of people prepared to do this kind of work for next to nothing, given the wide range of living costs across the world economy. It would be trivially cheap for a spammer in a rich country to pay people in a poor country to do this kind of work all day.

考虑到世界经济中广泛的生活成本，不难发现有大量人准备几乎无所事事地从事这种工作。 对于富裕国家的垃圾邮件制造者来说，全天付钱给贫穷国家的人做这种工作将是非常便宜的。

Centralized Sign-on

集中登录

A system of centralized sign-on can mitigate the potential for abuse by putting all the impetus on a single system to authenticate users once, and then give them free rein thereafter.

集中式登录系统可以通过将所有推动力放在一个系统上来对用户进行一次身份验证，然后再让他们自由使用，从而减轻滥用的可能性。

Systems such as Microsoft Passport offer this kind of centralization; however, they also create significant privacy questions, as you have to be prepared to trust your personal data to a single, commercial entity (quite apart from the fact that Passport uses CAPTCHA authentication!).

诸如Microsoft Passport之类的系统提供了这种集中化。 但是，它们也带来了重大的隐私问题，因为您必须准备好将您的个人数据信任到单个商业实体(除了Passport使用CAPTCHA身份验证的事实！)。

However, a most promising alternative to this has recently begun to gain traction, in the form of OpenID. The OpenID system avoids privacy issues because it isn’t limited to a single authentication provider — you can pick and choose, and change at any time, who you trust to hold your authentication information. This information in turn is not revealed to the site you’re visiting; therefore, it offers a convenient means of centralized authentication without the attendant privacy issues.

但是，最近最有希望的替代方法已经以OpenID的形式开始受到关注。 OpenID系统避免了隐私问题，因为它不仅限于单个身份验证提供者-您可以随时选择并选择和更改信任的人来保存身份验证信息。 反过来，这些信息也不会透露给您正在访问的网站； 因此，它提供了一种方便的集中式身份验证方式，而不会带来隐私问题。

The weak point of the system is how you obtain an OpenID in the first place, since some form of authentication is going to be required there. Simply having an OpenID is not enough to prove that you’re a legitimate user, so the onus would end up being on individual sites or OpenID providers to police the use of OpenID; for example, by banning OpenIDs that are known to be spammers. This in itself could end up being a minefield for disputes.

系统的弱点是首先要获取OpenID的方法，因为在那里将需要某种形式的身份验证。 仅仅拥有一个OpenID不足以证明您是合法用户，因此最终的责任将落在各个站点或OpenID提供者上，以监督OpenID的使用。 例如，通过禁止已知为垃圾邮件发送者的OpenID。 这本身最终可能成为争端的雷区。

OpenID is a good idea, and is bound to catch on, but in itself does not address the issue at hand any better than individual authentication.

OpenID是一个好主意，势必会流行，但是它本身不能比单独的身份验证更好地解决当前的问题。

非交互式解决方案 (Non-interactive Solutions)

We’ve looked at a number of interactive solutions now, and seen how none of them are entirely perfect, either for protection from robot attack, or for reliably identifying humans without introducing accessibility barriers.

现在，我们已经研究了许多交互式解决方案，并且看到它们在保护机器人免受攻击或在不引入可访问性障碍的情况下可靠地识别人的情况下，如何做到完美无缺。

Perhaps the solution lies with non-interactive solutions. These analyze data as it’s being submitted, rather than relying on users to authenticate themselves.

解决方案可能在于非交互解决方案。 这些将在提交数据时对其进行分析，而不是依靠用户进行身份验证。

Honey Traps

蜂蜜陷阱

The idea here is that you include a form field, which is hidden with CSS, and give it a name that encourages spam bots to fill it in, such as "email2." The human user will never fill it in because they don’t know it’s there, but the bot won’t be able to tell the difference. Therefore, if that field contains any value when the form is submitted, the submission is rejected.

这里的想法是，您包括一个用CSS隐藏的表单字段，并为其提供一个鼓励垃圾邮件机器人填写的名称，例如“ email2”。 人类用户永远不会填写它，因为他们不知道它在那儿，但是机器人无法分辨出区别。 因此，如果在提交表单时该字段包含任何值，则提交将被拒绝。

The problem is that assistive technologies may not be able to tell the difference either, and so their users may not know not to fill it in. That possibility could be reduced with descriptive text, such as "do not complete this field," but doing that may be very confusing, as well as being recognizable by a bot.

问题在于，辅助技术也可能无法分辨出差异，因此他们的用户可能也不知道不填写。可以通过描述性文字来减少这种可能性，例如“不填写此字段”，但是这可能会非常令人困惑，并且可能会被机器人识别。

Another variant of this is a simple trap that asks human users to confirm they’re not robots. This could take the form of a checkbox, like this one.

另一个变种是一个简单的陷阱，它要求人类用户确认自己不是机器人。 可以采用复选框的形式，例如此复选框。

In both these examples, however, bots could learn to recognize the trap and thereby circumvent it. It’s one of those things that only works as long as not many people are using it — as soon as it became prevalent, on high-traffic sites like Digg or Facebook, the spammers would simply adapt.

但是，在这两个示例中，机器人都可以学习识别陷阱并从而规避陷阱。 这是只有在没有多少人使用的情况下它才能起作用的一件事-一旦流行起来，在Digg或Facebook这样的高流量网站上，垃圾邮件发送者就会简单地适应。

Session Keys

会话键

A partial solution for form submission is to generate a session key on the fly when building the original form, and then check that session key when the form is submitted. This will prevent bots that bypass the form and post directly to its target, but it does nothing to stop bots that go through the regular web form.

表单提交的部分解决方案是在构建原始表单时动态生成会话密钥，然后在提交表单时检查该会话密钥。 这将防止漫游器绕过表单并直接发布到其目标，但是它并不能阻止漫游器通过常规Web表单。

Spam Filtering and Heuristics

垃圾邮件过滤和启发式

Systems that accept user-generated content (such as blog comments) can filter content based on specific keywords (like "Viagra"), or using Bayesian filters to recognize patterns that might indicate spam. Such systems are already used by the vast majority of email systems, and are highly effective in reducing spam.

接受用户生成的内容(例如博客评论)的系统可以基于特定的关键字(例如“ Viagra”)来过滤内容，或者使用贝叶斯过滤器来识别可能表明垃圾邮件的模式。 此类系统已被绝大多数电子邮件系统使用，并且在减少垃圾邮件方面非常有效。

More sophisticated systems use a combination of filtering and heuristics that identify spam by additional factors, such as how quickly a comment was posted. One popular system is Spam Karma, which produces reports like this one.

更复杂的系统使用过滤和启发式技术的组合，通过其他因素(例如，发表评论的速度)来识别垃圾邮件。 一种流行的系统是Spam Karma，它会生成此类报告。

The report shows how a number of factors contribute to an overall "karma" score: posts with a low enough score are automatically rejected (and the admin is sent an email like the above).

该报告显示了许多因素如何影响总体“业力”分数：分数足够低的帖子将自动被拒绝(并且向管理员发送类似于上述的电子邮件)。

It’s a misunderstanding of the nature of Karma to think that it can apply to individuals. Philosophical meanderings aside, this is a highly effective system that can make a huge difference to the spam overhead a site admin has to deal with.

认为它可以应用于个人是对业力本质的误解。 除了哲学上的曲折之外，这是一个非常有效的系统，可以对网站管理员必须处理的垃圾邮件开销产生巨大的影响。

There’s also a third-party service called Akismet, which works on the same principle of content filtering using keywords and heuristics. Since the system is managed centrally it has a much larger base of data to work from, which should make its assessments far more reliable — with a lower chance of spam getting through or of making a "false positive" (identifying as spam something which is legitimate).

还有一个名为Akismet的第三方服务，该服务的工作原理与使用关键字和启​​发式方法进行内容过滤相同。 由于系统是集中管理的，因此有大量的工作数据基础，这应使其评估更加可靠-垃圾邮件通过或“误报”(将垃圾邮件识别为垃圾邮件)的可能性较低。合法)。

Limited-use Accounts

受限帐户

One way for a system such as free email to limit abuse by robots is to deliberately throttle new accounts for a period of time; for example, by only allowing ten emails to be sent per day for the first month.

例如免费电子邮件之类的系统来限制机器人滥用的一种方法是，在一段时间内故意限制新帐户。 例如，第一个月每天只允许发送十封电子邮件。

However, this approach may not ultimately help. It may reduce the incidence of abuse on a per-account basis, but it doesn’t prevent abuse entirely. There’s also nothing to stop a spammer from simply signing up for thousands of accounts and sending ten spam emails from each one. And of course, such a limitation may affect legitimate users as well, but legitimate users aren’t going to be inclined to sign up for multiple accounts.

但是，这种方法可能最终没有帮助。 它可以按帐户减少滥用的可能性，但不能完全防止滥用。 也没有什么可以阻止垃圾邮件制造者简单地注册数千个帐户并从每个帐户发送十封垃圾邮件。 当然，这样的限制也可能会影响合法用户，但是合法用户不会倾向于注册多个帐户。

结论 (Conclusion)

The conclusion? Don’t make users take responsibility for our problems.

结论？ 不要让用户对我们的问题负责。

Bots, and the damage they cause, are not the fault or responsibility of individual users, and it’s totally unfair to expect them to take the responsibility. They’re not the fault of site owners either, but like it or not they are our responsibility — it’s we who suffer from them, we who benefit from their eradication, and therefore we who should shoulder the burden. And using interactive authentication systems such as CAPTCHA effectively passes the buck from us to our users.

僵尸程序及其造成的损害不是个别用户的过错或责任，期望他们承担责任绝对不公平。 它们也不是站点所有者的错，但是不管喜欢与否，这都是我们的责任-正是我们受苦于他们，我们从根除中受益，因此我们应该承担责任。 并使用诸如CAPTCHA之类的交互式身份验证系统，可以有效地将我们的责任转移给用户。

Moreover, the common theme with all interactive alternatives is that they fail users who have a cognitive disability, or don’t understand the same cultural cues as the author, or use assistive technologies. The more stringent the system, the higher the bar is raised and therefore the greater the chance of failing to recognize or admit a real human.

此外，所有交互式替代方案的共同主题是，它们会使具有认知障碍或与作者没有相同文化暗示或使用辅助技术的用户失败。 系统越严格，竖起的标杆越高，因此无法识别或接纳真实人类的机会就越大。

In my view, the right way to address this problem is with non-interactive solutions that ordinary users don’t even need to be aware of. Systems such as Spam Karma and Akismet are highly effective at reducing the amount of spam that site administrators have to deal with. In fact, we use Spam Karma here at SitePoint, and it does make a significant difference.

我认为，解决此问题的正确方法是使用普通用户甚至不需要了解的非交互式解决方案。 诸如Spam Karma和Akismet之类的系统在减少站点管理员必须处理的垃圾邮件数量方面非常有效。 实际上，我们在SitePoint上使用了Spam Karma，并且确实起到了很大作用。

The Future

未来

It’s clear that both interactive and non-interactive tests will continue to be used by site owners for the foreseeable future. Developers will try to come up with new and better tests, and spammers will continue to find ways of cracking them; it’s very much a vicious circle.

显然，在可预见的将来，网站所有者将继续使用交互式和非交互式测试。 开发人员将尝试提出新的更好的测试，而垃圾邮件发送者将继续寻找破解它们的方法。 这是一个恶性循环。

Perhaps, at some point in the future, somebody will come up with a test that is truly reliable and uncrackable — something that identifies humans in a way that cannot be faked. Maybe biometric data such as fingerprints or retina scans could factor into that somewhere; perhaps we’ll have direct neural interfaces that identify the presence of brain activity.

也许在将来的某个时刻，有人会提出一种真正可靠且不可破解的测试，这种测试以无法伪造的方式识别人类。 也许指纹或视网膜扫描等生物识别数据可能会将其归因于此。 也许我们将拥有直接的神经接口来识别大脑活动的存在。

Personally, I’m still hoping for telepathic XML!

就个人而言，我仍然希望使用心灵感应XML！

翻译自: https://www.sitepoint.com/captcha-problems-alternatives/

自动收发短信验证码机器人