The Bot Wars – the defeat of CAPTCHA and the rise of a new hero to secure your forms – part one
A long time ago in an internet far, far away a bunch of forms were built. They were simple forms, nice forms, helpful forms, and the users of these forms had little problem filling them in and sending their information and requests to the mysterious beings from beyond the screen, called – The Webmasters.
The Webmasters welcomed the data from these forms. It became their joy to see all the data flowing in from people all over the world. It was these interactions that brought life to the lifeless internet. It made the whole thing… more. And this was celebrated throughout the dim recesses of the murky world inhabited by those who plied their trade in the arcane practice of writing code.
As the level of interactions increased, and the number of forms multiplied, the depth and breadth of data being captured skyrocketed. Clever boffins found new ways to use this data, devised new services and features to help the very users who were supplying the data in the first place.
This process began to take on a life of its own, and it evolved and grew at a rate that no-one could predict or control. It was becoming a force in its own right, pushing and pulling the direction of development and dictating the course of huge parts of the open internet. It dominated thinking and planning and deployment. It became ‘The Force’.
The Webmasters, those venerable mystics who sought to bring good to the world, were soon overwhelmed and then side-lined. No longer able to direct and control the flow of the force, they were relegated to mere functionary roles – hacking code and not asking questions. Control was now ceded to marketers, and they ruled with an iron fist.
They slurped up as much data as the webmasters could feed them and asked for more, faster, yesterday! But those where the ‘white hat’ marketers. They wanted to use the data to do wonderful things for the users who supplied the data, while making a healthy profit of course. They were not benevolent, but they were not malicious either. Well, not all the time anyway.
The rise of the Dark Lords
But a new breed of marketer emerged from the shadows. These shadowy figures cared nothing for the data. They cared nothing for the Webmasters. They had a different plan. Like parasitic worms, they used the wonderful forms that the majestic Webmasters had spent large sections of their lives crafting, sometimes from the smallest and rarest of libraries - libraries that were just a few hours old before they were harvested for use in the forms.
They took what was made and perverted it, twisted it for their own ends without a care for the damage that might cause.
In the beginning this was frowned upon, but little was done to prevent it. There was no budget for protecting the forms, and the marketers blamed the Webmasters and told them to fix the forms in their own time.
The Webmasters, true to their calling, tried. But it was difficult. Each time they thought they had a solution, the evil marketers were quick to catch up and change their tactics. It was an arms race that they were constantly losing, not by much, but by just enough that it was a problem.
And then one day a new hero emerged that promised to save the day. He would stand between the forms and the evil bot army unleashed by the rogue marketers and prevent them from filling in the forms. It seemed so simple back then, it seemed so pure and right and bomb proof, as the Webmasters rejoiced and hailed their new hero – CAPTCHA.
CAPTCHA - a hero for our time
This sentinel was on guard twenty four hours a day, taking hit after hit from the seething hoards of bots as they crashed against the shield he provided. At first the users of the form were charmed by his presence. They marvelled at his trickery and his ability to defeat attack after attack. And for a time there was hope that the Webmasters had won.
But it was not to be. Captcha had a flaw, and it did not take too long for the bot army to find it and exploit it. To be fair, Captcha stood his ground, stalwart to the end, trying his best to defend the forms and the trust that had been given to him. And while not all attacks succeeded, many did. Enough that the marketers went back to the Webmasters and called them fools.
Frustrated and embarrassed, the Webmasters tried again to defeat the bot army. Over weekends and after hours, they toiled without pay, without pizza, to find a solution. Would another hero step into the fray? Could no-one help the poor beleaguered Webmasters?
All hope seemed lost. Forms were being overrun left, right and centre. The marketers were at their wit’s end. Their precious data was being polluted and trust was being eroded to the point that it was feared that users would simply stop filling in the forms altogether. Something had to be done. But what?
In the darkness of those times a new hero rose to face the bot armies. It offered the users a selection of pictures and asked them to choose specific ones, like all of those with a left handed, black cat wearing a top hat and tails on his way to a banquet with the Queen.
The users were amazed, they were entertained. They clicked on images and clicked on some more. The bots couldn’t tell the difference between a cat and a candle and were constantly choosing the wrong options.
At last the battle was won and the Webmasters could breathe a sigh of relief. The marketers were doubly happy because this new hero whilst protecting the world from the bot armies and keeping their data clean, was also collecting his own data for them to use.
What a hero, that super protector of forms they called – reCaptcha.
reCAPTCHA - so much better looking than CAPTCHA
For a time there was peace and prosperity. The bot armies were defeated, or at least their attacks were unsuccessful. But a bot never sleeps, and those tasked with creating them lived lives fuelled by cheap caffeine and pizza. Their efforts were redoubled, and soon enough the cracks began to show in our new hero.
Small rumours started to spread, hushed whispers in darkened forums. reCaptcha was broken and the bots were getting through. No-one wanted to speak the truth out loud, for to do so would make it true. The Webmasters did what they could to shore up their defences, but there was another problem. The users were getting fed up with the left handed black cat hunt. More and more they began to complain about having to prove their humanness.
Once again a champion was needed, one that would allow the users to post photos of their cats being funny without having to prove they were human. One that the bot army couldn’t adapt to. One that used the bot army’s strengths against them.
Many heroes stepped up to try their hand at protecting the forms. Some succeeded for a time, and then fell. But few if any, proved to be a match for the bot army, while allowing the users free reign to populate the internet with a plethora of cat related paraphernalia.
Until now.
The first Super Hero
Working quietly in the background, a new hero is gearing up for battle. His tactics and strategies are different from the previous heroes. His purpose is true and his heart is strong, and he will stand as no other hero stands – in the shadows behind the form, protecting the marketer’s data and saving the beleaguered Webmasters.
Users of the form will never see his shield, they will never see him stand and face the bot army. They will not even know he is there. And neither will the bot army.
The bots will be defeated without even knowing they have been engaged. For this hero is not the knightly kind, with a shiny shield and flashing sword, or even left handed black cats. This hero is more of a street magician, a sleight of hand artist. The bots will be foiled and will leave confused, to search for prey elsewhere.
This champion of the forms and their users was different. He wasn’t a piece of technology conceived, developed and hatched by those with IQs in the thousands. He wasn’t a library of code that was simply plugged in, like a finger in a dyke. He was a concept, an understanding, a method, an algorithm. And as such he could take a myriad of forms, each one slightly different, each one infuriatingly effective against the assailing bots.
And it is this ability to morph and change that is the key to the final defeat of the bot army.
For the first hero, Captacha and his successor, reCaptcha the bots had a known library of code to attack. They could learn about their enemy, investigate its innards and run a million tests to find the best vectors to succeed in their attack.
But for our new hero, there is no such library. And if an attack is successful on one form, it may not succeed on any other form in existence. And for that one form, once it has let a bot through, the hero can morph and change, and what worked once will not work again.
Just imagine the frustration in bot headquarters as failure follows success and more and more of their massed armies become useless.
In part two we will examine our new hero in all his glory.
This series is written in response to a few posts on Steemit about securing forms against bots.
A while ago I had a series of forms that were being hammered by bots on a daily basis. My email was full of messages offering to help me source cheap meds, fix my tiny, tiny, hands and meet women that my wife wouldn’t approve of.
We had tried CAPTCHA and reCAPTCHA but while they worked for some time, after a couple of months, the bots were getting through once more.
So I sat down and thought about this and came up with a way of defeating them. I hatched a plan based on the research I did and came up with a script that I deployed on some of the forms.
Nearly a year or so later I have not had a single bot email from those forms, while the users have not been hindered in filling out the forms. I’d call that a success.
In part two I’ll detail the technique I used and why it works, and why it is so much harder for the bots to break through this defence.
Check out my stories here on Steemit
Running Deer
Running Deer - part 1
Running Deer - How legends are born
Charlie Rabbit
Meet Charlie Rabbit
Charlie tides up
Charlie Rabbit and Margery Mouse
Charlie Rabbit and Margery Mouse make music
Little Peppers Adventures
Runaway Rabbit and the hungry fox
Maybe and the land of purple rainbows – A Little Peppers adventure
How Pappa Pepper and Monster Truck the Pepper got their wild hogs - a Little Peppers Adeventure
Dark Angel Regiment of the Space Marines - Mission Files
First Squad Sniper Elite - Zaresith mission
Other stories
Also don't forget to check out my Dad's blog
Who else can tell you stories about impersonating an officer, stealing a military aircraft to go on a booze run, or steal military aircraft and go on an unsanctioned bombing run - and that's all before he turned 18!
Check out @len.george and find out what other madness he got up to!
Are you new to Steemit and trying to figure out what it's all about?
Head over to: https://www.steemithelp.net/. It's the best place to get a handle on what the platform is all about.
Highly entertaining, brother! Man, the tale is so engrossing. Who could that hero be?? Reading part 2 right now and will be commenting with more detail there :D
Thanks for that. looking forward to reading what you think of it.
Interesting and very informative... thanks for sharing! Followed you!
Thanks very much. Followed back :-)
Oh, thank you too... I appreciate your follow. :)
Amazing post, very thought provoking. Its crazy to think where we have come from.
Thanks :-)
Be sure to check out part two were I tell you how to protect your forms and how I did it for mine.
well done again. after that you deserve a holiday.
Your dad sounds like the coolest dad I have ever seen!!! Definately gonna check him out!
I wouldn't go that far hehehe.
But he has gotten up to some mischief in his time for sure.
Cool. :P
Greatly written article! I love the way you write!
If you have the solution, I would make sure you monetise this before throwing the details, or even the idea out in the open!
Can you invent something that can detect the bots here at Steemit? I opt for a bot-less Steemit, ok, reading bots are ok, but no vote bots please. They do not enhance the user experiences of the community, I actually believe they harm the user experience and are partially the cause of a shorter short tail when it comes to reward distribution. So much looking forward when we can make Steemit a human service, rather than a bot dominated service.
Lessons learned? When setting a step into some new direction (collecting data through forms for instance), always, and I mean always be aware of miss-use, of new stuff invented to use whatever you just created, to your disadvantage, or to harm it in another way. History showed that over and over again.
LOL, I'm Dutch, so this remark related very much here, I even think we invented that remark, or better 'saying'.
hehe thanks for your reply. ;-)
My way of dealing with bots, as I'll explain in the next post, is something anyone can do really. (well anyone who can write a bit of Javascript)
And I am monetising it. I'm putting it up on Steemit!! hehe
I have a few bits and pieces of code that I'm hoping to put up to help people out. I've been meaning to get this one done for ages, and some conversations recently prodded me to do it.
It's not so much a plugin or anything, although I could give you the code to do it. It's a method of setting things up and manipulating things to confound the bots.
I don't think it would work on Steemit because I think the bots work directly on the blockchain through the cli interface.
I could be completely wrong about that though. I've not really investigated it.
And I agree that steemit would be better without the voting bots.
The most valuable solutions are usually those that are super simple :) FB service was a super simple one! And see were they are now? 450B$ marker cap. Monetise this through the likes of Google, FB and others. Or at least for SME (small and medium enterprises). Setup you own little company and tell the world you have a rock solid solution for form bots, something way better than Captcha and reCaptcha. I'm pretty sure you can earn lost more dollars than here on Steemit. BTW, if you prefer to get payed by the normal world in crypto coins, offer a service were they convert their dollars into crypto coins of your preferences all under water :) This is just my commercial sense talking! So, in case you do not necessarily want to get 'rich' in terms of whatever currency, still take all that money and start a foundation were you support whatever you want to support; In that way you control distribution of funds.
BTW, I'm interested to help you setup such project / enterprise! :)
I hear what you're saying, but the problem is many fold-
1 - anyone can do this
2 - I want to make the interweb better, and if that means by giving away some stuff, I'm good with that
3 - my ultimate goal is to get out of programming and write for a living
4 - I'm sure there was a 4 in there somewhere, but it's getting late and my brain has officially clocked off for the evening
edit -
Once I put the solution up, if you want to take it and run with it and make a fortune, go for it ;-) and good luck to you.
I'm not an engineer, writing scripts or code is not my thing. So I need you to support. BUT that said, I appreciate your views and go along with those! :) Looking fwd to your next post explaining the secret!