Slashdot Mirror

CAPTCHA images are useful, but not unbreakable. If they were planning on using that as their only line of defense against scripts, they were really kidding themselves. Simple distorted and discolored text is difficult but not impossible to crack. The CAPTCHA Project is working on more sophisticated forms, using multiple words, image groups, and even audio.

If you want your online app to not be used by scripts such as this, implement a CAPTCHA. Sure, people could still use it if they wanted to input a bunch of letters for every single chunk of their file...

When did captchas suddenly lost their power ? I can't see their's on the list of broken ones and it does seem to have all properties required from a strong captcha.

Google accumulates too much cross-referencable personal information if you ask me. It is your next Big Brother or a franchise of one.

Say you searched for something like 'nuclear bomb howto'. Via proxy mind you. Having your cell phone at hand it becomes possible to pick you up on terrorism charges in next 10 minutes. It's an exgagerated example, but think about.

To possess all this information and withstand a temptation not to 'process' it - this requires a lot of respect for individual privacy and moral strength. Google can claim 'make no evil' all they want, but I just don't believe them anymore.

Your post advocates a

(x) technical ( ) legislative ( ) market-based (x) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

(x) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
(This time the spammers will be doing the filtering, and that will be quite easy for them.)
(x) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Several projects have had excellent luck using image processing algorithms to recognize the warped and mangled text areas, separate out the letters, then figure out what alphanumeric character it is. What's interesting about this research is that it's starting a sort of Cold War between websites that use CAPTCHA's and spammers who are doing their own research to break them with script bots. As the CAPTCHA's get more complex, and the text more convoluted, the script bots are using ever more complex image processing algorithms. This escalating war could be beneficial for anyone interested in using image processing algorithms, especially when the information you're looking for exists in a graphically "noisy" environment.

The best place to learn more about this is PWNtcha - captcha decoder.

Another guy spent about 24 hours creating his own image processing algorithm that uses a graphics function to discover the outlines of character shapes, then runs each character through a neural net which could recognize the shape of the character (and these characters are seriously warped, so it's not your typical OCR). Also, be sure to see his other page which talks about how his software can crack 92% of GIMPY-generated CAPTCHA's!

Also check out http://www.captcha.net/.

Google for more information about using AI image processing routines to defeat CAPTCHA's. This is an area of active research that will result in a lot of new algorithms and processes in the coming years!

wtf?

That completely off-topic comment what probably the work of a hostile script (or "bot"?), which grabs a comment from one topic and randomly reposts it somewhere else.

If you try logging out and then posting, you will see a CAPTCHA field appear. It is apparently an effort to combat this form of tampering, and it is apparently failing.

If the ??AA is going to keep logs, then are they not participating in the piracy of their own material? Regardless, we need a shit filled network of random requests and broadcasts routed simultaneously. Save data as it goes over the "wire" since there is no requestor. This is all rediculous bullshit, but since they are driven by scarcity we will continue to evade their grasp of such with the INFINITE possibilities of protocol, routing, encryption, algorithms, physical media, and dialect. Read that sentence again and analyze the capitalzed word: there is no way to control chaos.

P.S. to slashdot.org: thank you for putting a CAPTCHA on anonymous postings. It's the car alarm of the Internet, and now it's here. Pathetic. I CAN see and I barely could read the letters in this piece of crap.

Captcha

So use one of those things that tells you to type in the word in the box below, and it's all distorted with noise added to defeat character recognition algorithms.

Note: the guy is a troll so his description is crude. But he's not an idiot.

The captcha project themselves are beginning to see their hoped-for results. The idea of captcha is simple: use a "hard AI" problem (such as obscureed character recognition) to ensure that only people, not machines, can access a resource. As a side benefit, they are hoping that attackers will "step up" to the challenge posed by captchas. By developing more and more sophisticated pattern recognition algorithms (to defeat their captchas,) the attackers are actually advancing computer science!

How this could be used in a puzzle to render bots entirely useless without annoying the human, I don't know. And certainly, CAPTCHA will eventually be "cracked", though it's effective for the near future.

Either disable new posts to the archives entirely, or make it difficult to automate by requiring human email and/or captcha security image verification.

--

The best one I've seen renders a series of characters graphically (a la TicketBastard) which the user (a human, of course) has to type into a text field on the comment form before their comment is accepted.

Sure, that's great for humans using a graphical browser, with images turned on, and 20/20 vision. But that doesn't cover all internet users. What about text browsers? What about screen readers?

This is the age of internet accessibility folks, and it's exactly why I refuse to use Captcha tests on my own blog - instead, I currently filter all comments and trackbacks through wp-spamassassin. Haven't had a single problem yet, although it's early days.

The rel="nofollow" trick sounds promising for killing off the PageRank cheats, but it won't stop humans clicking the links...

Guess I'm asking at the wrong place, but does this mean if I send email using my uni's SMTP server with my Yahoo! E-mail address in the "from" field, I will receive a challenge? A challenge being an email to the sender's address so they know the address is active, I'm guessing..

And I read of a whitelist/blacklist. Does this mean the user having to manage this list? It looks like it's being done so that the user can reactively work about it though (instead of actively), maybe an email that says "You got email from xyz, Do you want this email?" Heh an email about an email, that'd be annoying.

I tried sending email using Yahoo!'s web interface with 3 addresses in the "To" field today, and when I clicked "Send" it asked me to answer a Captcha, interesting..

Easy fix for Google,

Insert a CAPTCHA between the AdSense ad and the advertiser's site.

It will stop fraudulent clicking by 'bots but wont stop fraudulent clicking by humans. It will also drive up Google's bandwith expenses.

Anybody has a better solution than this?

They're called "captchas", a product of Carnegie Mellon

That is the CAPTCHA method of doing things which help to an extent.

The thing is, the spammers, in league with pornographers have circumvented this approach. I don't have the Slashdot link handy for this but I remember reading about that process here. Basically an elaborate software 'network' is set up so that all the following can occur all in real time.

1) Spammer signs up for a throwaway email account and encounter's a CAPTCHA image during the account creation process.
2) The image is delivered in real time to a visitor of a porn site ala 'DECODE THIS PIC TO GET YOUR FREE 1-DAY PASS TO HOT XXX ACTION NOW!!!!'
3) The image is decoded, the porn site visitor gets access to their porn and the decode results are fed back to the email account signup site.
4) If correct, the spammer has a new throwaway account to spam from.

I should add that steps 3 and 4 are simplified for clarity. In real life, I'd expect the pornospammers to give the CAPTCHA response back to the email site first and if successful THEN give access to the pornosurfer as a reward for decoding the image.

Since the spammers can't decode these CAPTCHA images in bulk in a reasonable amount of time, why not distribute the workload like they do for SETI@home, Folding@home, and the GIMPS project?

At the way things are going, the day may come where you have to do just about everything account-related online now in an offline fashion via mail, phone, fax, or in person somewhere just to cut down on all the spam and whatnot.

There's a simple solution. They'll put a Captcha on every file access.

Then again if you end up using GMail as off-site backup storage it is not that much of a pain to enter the Captcha text a bunch times to get your rar'ed hard drive image from your inbox in the event of an unrecoverable disaster. :)

CMU is working on Secure Human Authentication (HUMANOIDs) for quite sometime now.
Their scheme is also more difficult to guess since it suggests that the user should make
a random mistake to confuse the guessing adversary!!!

Well, if you discount the porn method and you're talking just about using code to do it, I'd be surprised if you could beat pix.

OTOH, I'd be a bit surprised they had a 100% hit rate with people, too. I just saw a couple that looked like the "right" answer could have been any number of things.

CAPTCHA:

Completely
Automated
Public
Turing Test to Tell
Computers and
Humans
Apart

for more info www.captcha.net

...the images here here are absolutely unreadable. If I had to use this to subscribe to a site or forum, or fill out a form, I'd just say "screw it", and wander on down the 'net.

after the Atom standard is implemented there will be a common protocol. i think we may need to start using captchas.

Just like spam on other media (email, usenet, web forums, etc), you can apply quick and dirty fixes :

• IP # based black lists
• URL based black lists
• CAPTCHA (images and/or audio) authentication
• keyword filtering
• bayesian/statistical filtering
• etc...

But the real issue is always the same : trust management. You want to be able to grant as much trust as possible to trustworthy (non-spamming) strangers, while revoking all trust to others.

So why do we always want to build trust management systems on top of other systems, and not design a stand-alone one, that can be used by a wide range of media (email, usenet, blogs, etc) ?

Note: identifying "personas" does not mean identifying "real people", so there are no privacy issues in such a system.

Its easy - but it involves implementing a database for your email addresses. This is how it works:

- data base maintains two lists:
1. your list of valid sent to addresses - much like your current address book. But these addresses are much longer and cannot be guessed. I thinking something like a 100 byte random email address.

2. the list of valid email addresses people use to send you email.

Your mail reader gets a valid email address either from your local database - and should validate it with the send to mail host - or the mail reader retrieves a CAPTCHA for the person to solve from the destination's database server.

The mail daemon on the receiving end checks with its local database for a valid send to address. Remember its really long so spammers cannot search this space. If the address is valid the user gets the mail. If its not valid, then the maildaemon checks the return address to see if its valid. If its not - then no action is taken - if it is valid then the sender of the mail gets a response from the mail daemon explaining how to get a valid email address via a CAPTCHA test.

If you get spam on a valid email address - you tell your database to cancel that address. Voila! No more spam on that address. Now if someone wants to send you spam they can get a valid send to address but it takes a few seconds of actual human time to get it (the CAPTCHA). But its only good until the receiver cancels the address.

This system is completely workable with existing internet mail. Now I need to learn how to write an RFC and submit it.

This would require that people store the actual valid send to email addresses inside some sort of address book - unless they want to go through a CAPTCHA for every email they send.

This would also allow people to determine where spammers are getting their email addresses from.

A user could generate a valid sent to address for him/her-self without going through a CAPTCHA for places that require an email - like your bank.

Note: this would not stop those nasty email viruses from sending themselves. That's a separate problem of people running attachments that are sent to them via email. Though this would probably slow down those virii a little.

CAPTCHA: see http://www.captcha.net/ for more info on this curious acronym

If anybody is interested in finding out more about these spambot "turing tests", check out http://www.captcha.net/.

I seem to remember one of their earlier tests involved determining which word didn't belong in a particular phrase. They would give you something like "The girl went to the mall to buy a giraffe" and the answer would be "giraffe". This sort of test could be given either visually or aurally, and would require a lot of NLP resources to crack (would have to determine part of speech and some amount of the syntactic structure). This kind of system might be the answer.. theoretically it would be accessible to all english speakers, blind or deaf.

Mozilla's automatic password feature can't handle dynamic captchas, creating a new login for each captcha value. You have to turn the feature off for sites that use captchas and type in username and password each time. Very annoying for the terminally lazy who have got used to login autocompletion.

RE: I see a lot of spam that was probably produced by applications that use an automated signup to yahoo/hotmail/etc. to obtain a temporary email address and leave the actual emailing to those services which will circumvent 'greylisting'.

As pointed out by someone else in the thread, those are most likely not automated Yahoo/Hotmail/etc. signups. They're likely forged addresses.

It would be extremely difficult to do autogenerated signups on Yahoo absent some breakthrough in pattern recognition. Yahoo uses CAPTCHAs to thwart automated mass signups. I'm not sure, but I thought that some of the other free email providers were considering licensing this -- ISTR Hotmail being interested, though I could be wrong.

Some of these tests can be beaten by computers (with much CPU time), some of them cannot yet. All of them are nearly "AI complete" and all of them are backwards- but not forwards-solvable. The important thing is that the cost of solving the problem by a computer is far greater than the benefit derived by solving it, to keep spammers away.

Yes, just like what Verisign would want: $100/year from anybody who wants to send or receive mail. Thanks, but I'll stick with unauthenticated mail and spam.

If that's the sort of thing you want, you can already run SMTP over SSL--you don't need a new protocol for that. Operating systems terminally incapable of building services out of modular building blocks can hard-code SSL into their mail servers. Reasonable operating systems can use something like stunnel for wrapping SMTP. Either way, you get authentication. There doesn't even need to be any complex interaction between the SSL authentication and the SMTP server because SSL can simply verify the identity of the connecting host, and SMTP can continue to use its regular host-based identification.

The other important requirement, according to Yu, is a system for tracking resource usage per sender. Basically this means that profiles should be established for normal amounts of mail sending from different types of users. If you limited normal users to 100 messages per second and major companies to 10,000 messages a second it would be hard for legitimate users to complain, but spamming would be much harder.

We don't need a new protocol for this. Per-user throttling of outgoing SMTP connections could be implemented by ISPs at the TCP level, and per-user throttling of incoming SMTP connections can be implemented by the SMTP server. The reason why this isn't done is because it's largely ineffective: many spammers are beyond such controls for outgoing connections anyway, and limits on incoming connections can be circumvented simply by posing as hundreds of different users.

Solutions to the spam problem are things like CAPTCHAs, intelligent text analysis, and communications pattern analysis. Restrictions on who can send what to whom at the ISP level, or the imposition of authentication fees by ISPs or companies like Verisign, however, are thinly disguised attempts at squeezing money out of users. In addition to being ineffective and increasing the cost of E-mail, they also just threaten the openness of the Internet that has made it so successful in the first place.

After all is't any good OCR software enable to transfer those to text?

Test your OCR software against Gimpy and see if you still think OCR can defeat automated Turing tests based on a distorted image of text.

I don't belive it would be possible to program anything on conventional computers with known technolgies that another program couldn't be written to automate.

Take a look at a Slashdot story and an article I wrote about the CAPTCHA project.

It worked something like this, legitimate sender sends mail, autoresponder sends back mail with 'Visit this URL, to confirm your address'. The legitimate sender visited the address, entered the obfuscated word and their mail was delivered (and address added to a white list for future correspondance).

I wrote a simple CAPTCHA in PHP (yey gd!) in about 30 minutes, so why legitimise spam when this ideal solution has emerged? :)

1 - Set up a website with a comments form. Never give your email address to anyone. Give your friends the url to your comments form instead of your email. If your website contains your name, Google will pick it up eventually and people who want to get in touch with you will find you. Spammers won't bother going to your website and clicking on your form (unless it's a standard feedback form that's so popular that it's worth writing a script to spam it)

2 - Use captchas as a way to authenticate human beings. Have an email address with a list of authorized contacts. For everyone else, have a bounce message telling them to go to your website and authenticate themselves as humans. After that, you can choose several actions such as adding them to your contact list, accept messages through a feedback form, etc.

There was an article on slashdot a few days ago about this (sorry, can't find the URL now). Check out CAPTCHA. It doesn't seem to me that the project intends to extend the idea to the complete content of the site though.

Actually, this is a field that is quickly being considered a new Turing test for the computer vision field. It is actually very easy to make pictures that humans can read and that machines currently can't. Look up more info on it here.

Uh huh.

Good luck, buddy.

Uh huh.

Good luck, buddy.

Uh huh.

Good luck, buddy.

The captcha project is conceptually pretty cool, but so far they have failed to make their code portable and useful to the community at large. Evidence? Look no further than the site you're reading. To stop spammers from creating tons of bogus Slashdot accounts, the folks at Slashdot had to spend months laboriously writing their own captcha-style process to protect the new user form. Unfortunately due to the failure of CMU to make their code accessible, someone at OSDN was forced to create their own system from scratch and (understandably) it isn't anywhere near as tough or well designed as the CMU captcha, lacking such basics as font rotation, color rotation, anti-aliasing, and other anti-OCR measures.

So, while I commend their effort, I wish CMU would work harder to make their tools available not just to commercial sites but to the Open Source community and projects like Slashcode. This would help the captcha project actually accomplish its mission of protecting users from abuse, instead of leaving sites like Slashdot vulnerable to any 13 year old Visual Basic programmer with a grudge and a clue.

For those who dont know, The CMU developed captcha project is great. Check out their work here:

http://www.captcha.net/

Am I just stupid or is the Stumpy not working quite right?

The CAPTCHA website (how do you pronounce that, anyway) has a list of possible applications of CAPTCHA. The first mention is online polls, and recalls an event in 1999, when Slashdot (they use http://www.slashdot.com for some reason) had a poll for the best graduate CS curriculum. Carnegie-Mellon and MIT wrote competing poll-bots that stuffed the poll boxes. The point was supposed to be that a CAPTCHA would have prevented this. In my opinion, however, this was probably the most accurate Slashdot poll ever. Obviously, MIT wrote the better poll bot, since it stuffed more votes, and they didn't even start until somebody noticed that CMU was stuffing. Hence, the winner of the stuffing contest turned out to be the true winner of the poll.

Yes, if you look at the captcha site, it lists "Sounds" under Captchas. Here's the text:

Sounds can be thought of as a sound version of Gimpy. The program picks a word or a sequence of numbers at random, renders the word or the numbers into a sound clip and distorts the clip. It then presents the distorted sound clip to its user and asks the user to type in the contents of the sound clip.

This would probably be similar to the visual techniques, most likely employing some audio filters so its hard for a computer to decipher (our ears are pretty sensitive in deciphering noise from actual voices/useful sounds, so it shouldn't be a problem for us)

Online Polls. In November 1999, http://www.slashdot.com released an online poll asking which was the best graduate school in computer science (a dangerous question to ask over the web!). As is the case with most online polls, IP addresses of voters were recorded in order to prevent single users from voting more than once. However, students at Carnegie Mellon found a way to stuff the ballots using programs that voted for CMU thousands of times. CMU's score started growing rapidly. The next day, students at MIT wrote their own program and the poll became a contest between voting "bots". MIT finished with 21,156 votes, Carnegie Mellon with 21,032 and every other school with less than 1,000. Can the result of any online poll be trusted? Not unless the poll requires that only humans can vote.

Result of the Test: FAIL

You entered the following words:

school
tall
warm

The words possibly displayed in the image were:

able
tongue
tongue
full
train
pictur e
shelf

Now, what about people who want to advertise their address for open source projects and the like? Well, put it in the source code, in the README files, wherever you like. Just not on your web page.