The weird thing about this entire No Captcha solution, in my opinion, is that it assumes that a captcha is the most efficient method for defeating spam.
In most blackhat circles, captchas are an afterthought. You figure out everything else (IPs, original content), then plug in a service like deathbycaptcha that solves the captcha for... looks like $1.39 per 1000 (thanks to ultramancool for the correction). (http://deathbycaptcha.com). What nocaptcha does is only show that captcha (which is already defeated), to a certain subset of the users who haven't been deemed trustworthy. So, the big bot builders will take a day or two and beat the system, and we're right back to where we started.
Honeypots, however, are brutal - especially if you throw a couple in there. When building a bot you build it for efficiency. If your site does anything abnormal (whether it's 'what's n+n?' or 'what popular figure comes through your chimney in December?') a bot is hopeless.
That being said, however, a bot is only hopeless so long as a solution isn't implemented widely enough to be worth breaking through for spammers. If, for example, Wordpress came up with 1000 questions like that, someone somewhere would come up with and sell 1000 solutions.
In some sense it may be the case that Google is one of the worst companies to create a a simple anti-spam API. I'm sure there's something they could do that would be more effective than this, but this won't really move the needle.
Just a small correction, it's $1.39 per 1000. Some competing services are as low as $1 per 1000.
> If your site does anything abnormal (whether it's 'what's n+n?' or 'what popular figure comes through your chimney in December?') a bot is hopeless.
Check out https://github.com/kbhomes/TextCaptchaBreaker for a great example of how trivial these are to break. And free too. Not to mention you could convert them to an image and feed them to a site like deathbycaptcha, antigate, etc. I've tried feeding some fun stuff like this through these services, you get interesting results and will likely have a high failure rate, but you'll get enough right to pass around 50-70% of the time.
Honeypot fields are pointless as a good bot just rips the whole form and fills in what it wants, if needed, executes JS too.
Of course, I'm assuming a determined attacker going after your individual site, not a bot just spamming random web forms. So it really depends on your threat model.
> If your site does anything abnormal (whether it's 'what's n+n?' or 'what popular figure comes through your chimney in December?') a bot is hopeless.
I run a forum using Invision Power Boards, which has a built in question-and-answer verification during registration. Soon after I set it up I watched a bot in the server logs completing the registration in only a couple seconds.
I suspect that because IPB is a big enough target, they farm out the questions just like they farm out CAPTCHAs, and build a database of questions and answers. You'd need to include some randomness in the questions to throw them off.
With both of your examples (and many others I've come across) those question type captchas can be done with a quick ping to Google and a sanity check on the answer
"what popular figure comes through your chimney in December" -> "Santa Claus - Wikipedia, the free encyclopedia"
"what's 1+1" -> "2"
They only really work if maybe the question is in the market of the site you're registering for "What's <some popular guy on site>'s last name" etc
~$1.30 for 100 capachas, $50 for 10000 google searches per day, along with other search engines filling the same role.
probably the most damning thing is they are questions and answers from a database, unless you bother to make your DB unique (so no using openly available Q/A databases), everyone is going to have access to the right answers.
also, similar to paying people to answer capachas, you can pay people to answer questions
In most blackhat circles, captchas are an afterthought. You figure out everything else (IPs, original content), then plug in a service like deathbycaptcha that solves the captcha for... looks like $1.39 per 1000 (thanks to ultramancool for the correction). (http://deathbycaptcha.com). What nocaptcha does is only show that captcha (which is already defeated), to a certain subset of the users who haven't been deemed trustworthy. So, the big bot builders will take a day or two and beat the system, and we're right back to where we started.
Honeypots, however, are brutal - especially if you throw a couple in there. When building a bot you build it for efficiency. If your site does anything abnormal (whether it's 'what's n+n?' or 'what popular figure comes through your chimney in December?') a bot is hopeless.
That being said, however, a bot is only hopeless so long as a solution isn't implemented widely enough to be worth breaking through for spammers. If, for example, Wordpress came up with 1000 questions like that, someone somewhere would come up with and sell 1000 solutions.
In some sense it may be the case that Google is one of the worst companies to create a a simple anti-spam API. I'm sure there's something they could do that would be more effective than this, but this won't really move the needle.