Slashdot Mirror
Making CAPTCHAs Even Harder With 3-D Models
Michael G. Kaplan writes "CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) are commonly used to prevent computers from filling out web forms. Computer vision experts have been able to design programs to foil CAPTCHA with a high degree of success. I have designed a CAPTCHA that is based on the identification of attributes contained in an image generated by the grouping of easily recognized 3-D objects. I call this the Virtual Photographic CAPTCHA and it is likely to remain invulnerable to automated attack for many years to come. A novel anti-spam system necessitated its development."
Wow, you're just asking some bored hacker out there to prove you wrong.
PHP developers might find this article useful:
http://phpsec.org/articles/2005/text-captcha.html
Awhile back on Slashdot (I'm too lazy to find the link) there was an article on Captcha's being attacked by Spammers who would set up a porno site requiring user registration using, the Captcha in mind to crack, then forwarding the results to the anti-captcha bot.
Vision-recognition systems be dammed, all a spammer needs to do is use the inherent need of apparently most of the male race to look at pictures of naked women to get what he needs. I don't know if a counter was ever found to this method either...
...in bed
So, what was your email address again?
authentication should use l337speak. w3 4r3 t3h 0wN, j00r b453 4r3 b3l0Ng t0 u5.
e =h ttp%3A%2F%2Fyahoo.com
http://www.monduna.com/cgi-bin/misc/l337.pl?pag
seriously though...try reading that^^^
I wonder if a 3d applet containing some 3d forms would be harder to decode. Sounds like a good project for someone bored!
Check the last sentence on his page.
"Patents pending."
Tyvm, but no.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
according to this interview with a link spammer
of course demand is the reason they do it, people keep buying and they keep spamming
Show them the acronym, CAPTCHA. If they don't cringe, they are obviously non-human.
http://www.brains-n-brawn.com/default.aspx?vDir=ai captcha
The developer of an automated breaking bot explains how he did it.
Sigs? Sigs? We don't need no steenkin' sigs.
The logical conclusion is that I'm not actually human. My girlfriend will be very upset when I tell her.
Decoding the 5-letter example in the article took waaay too long when compared to current techniques (i.e. 30 seconds as opposed to 3), regardless of how good it is at eliminating nonhuman respondants.
It seems a very good idea, but all that flicking back-and-forth of the eyes is to compute-intensive for my grey matter.
"Any similarity between the hooting of a million eager monkeys and Slashdot is purely coincidental." -THEFLASHMAN
am i the only one to notice that there is no story here? its all well and good that you designed an unbreakable captcha system, but it would be great to actually have an example.
I've made sure to add mkaplansolution@lycos.com to all my mailing lists so you can test your invention!
I was doing a whois with one of the forms the other day and was unable to pass the test. there were thick lines over the text and it was sloppy cursivish text I was supposed to identify.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
"Your message was blocked, a sub-adress is now required. ...subadress is now required... Please update your records and resend your message with the sub adress below."
And thus you have effectively blocked that email adress permanently for the 70% of the population who doesn't understand the above, and who - more importantly - doesn't have the time or interest to make the effort to understand (and that would include people like my mother), or who don't read English well enough to understand it, interest or not. Easier to just close the email adress than messing with some system like this.
Trust the Computer. The Computer is your friend.
(the email scheme in this article requires people to read email from auto-responders). Who actually reads mail from auto-responders? I don't because they're almost all junk. I get maybe one useful autoresponse out of ten thousand generated by viruses masquerading as me.
Someone already figured out that if you run a porn site (or other type of legitimate site which could possibly use CAPTCHAs) you can have legitimate users fill out the CAPTCHAs which you scrape from the site you want to crack, and then forward it back to the targetted site. Since there is a surplus of people filling out CAPTCHAs over bots wanting to crack them, there is plenty of room for cracking it...
In the end, it is only a deterrent. But it is definately not close to foolproof
(note that this technique does not have anything to do with cracking the CAPTCHAs, it only bypasses their decoding step by handing off the work to a real human being which doesn't know he is decoding an offsite CAPTCHA)
Your ignorance is infinitely greater than you realize.
The novel anit-spam system mentioned in the article seems on the surface to be a great idea. However, I do see one small problem with the seperate username;subaddress@domain.com per correspondent idea. Image an environment where there are 1,000 employees and each employee recieves mail from 100 different users. Doesn't that place 100,000 seperate mailboxes, forwarded to 1000 "internal" mailboxes? That will have an overhead to be sure. Also, if the spammer is able to obtain a traffic sample coming to/from this ficticious corporate mail server, could the spammer then obtain the subaddresses directly? If the spammer then sent a spam email to every subaddress for a user, the user would then end up with 100 copies of the spam letter in their inbox.
Just some hypotheticals.
Be Safe! Sleep with a Marine. Semper Fi!
This system sucks, and nobody will ever use it. Sorry that nobody has been honest with you until now, but it is time to face facts. It is far too complex.
Do you know how many times things like this have required me to use some browser other than Lynx or Links? You're blatantly discriminating against us terminal users. Then we have to find someone running a GUI envoronment. Oh! The insensitivity!
Solomon Chang
"Twice half-assed makes an ass whole." --Solomon K. Chang
Deckard: You're reading a magazine... You come across a full page nude photo of a girl...
Rachael: Is this testing whether I'm a replicant or a lesbian Mr Deckard?
Deckard: Just answer the questions please.
This will fail miserably. It requires too much human involvement, the munging of previously easy to remember email addresses (however easy ilovemypoodlexo42@hotmail.com wass to remember anyway), but perhaps most importantly, it generates a bounce. Anytime a typical clueless user sees a bounce message, they don't bother to read it. They see "ERROR" and that's as far as they get before calling their buddy and bitching about the bum email address. Maybe if you're lucky, they'll doublecheck to see if they spelled it right, but that's about it. For any CAPTCHA to work, it has to be a one-time event (like registering a yahoo email address) that does not result in apparent error messages being thrown back at people. For any anti-spam system to work, it must be transparent to the end-user (like these new sender-id verification systems).
I suspect that one of these choices is incorrect. Correct.
Here is a description of the actual"Virtual Photographic CPATCHA" system, with pictures. Why this wasn't included in the original post, we'll never know. (Oh wait - maybe it was to prevent a slashdotting. Oh well.)
I had a conversation with a senior executive at a former employer.
He told me that, just as companies were outsourcing tech support to India/China/etc, companies which handled mass-emailing were also outsourcing work to have people sit there and recognize CAPTCHAs as well as respond to those stupid validation things some people try with their email (ie, you have to respond back to some silly email from their server saying "yes, I do ACTUALLY want to email you"). The mass-emailing companies would forward all the responses they got to a mailing to the company, and rooms of people would go through them all.
Very little training was required for the CAPTCHAs, and only rudimentary English for the email-response things.
Please help metamoderate.
RandomPerson: Hi there.
Me: Hello. What is your name?
RandomPerson: Uh, Jeff. What's yours?
Me: ERROR: TRACEBACK CALL IN ^^^^^
Me: ERROR: NO SIGNAL CARRIER DETECTED
One good turn - gets all the covers.
The federal government is considering outlawing this abusive practise. I met with a senator from SC and another from GA in the past month wrt this issue. They, like most people I know, hate it, and hate the artificial barrier it creates for Internet usage.
I work at a school for the deaf and blind, and captcha's make it impossible for the blind or many of the vision impaired to do many things on the Internet without having help from someone with good vision. Even I, with my cheap LCD monitor and 73 year-old eyes, have trouble reading the Yahoo ones.
In the images from the harder version of Gimpy, http://www.cs.berkeley.edu/~mori/gimpy/hard/, the grey colour of the text is distinctly darker wherever two letters intersect (eg. where the "o" and "s" intersect in "long" and "sharp" in the upper right corner of the first image).
Now, I'm not suggesting that it is easy for a computer the read these words; but, wouldn't this darker text colour make it easier for a learning algorithm to "dissect" two letters that intersect slightly?
I can't imagine that recognizing the letters without the darker intersections would be much harder for people, but I can see the darker intersections being an advantage for computers. Why not remove them?
Use handwritten challenges and let the spammers solve the handwriting recognition problem for us.
They will design a Captcha that only females can solve. You can ask your mom to solve it, machines can't.
That's what I thought this was going to be about. Imagine my disappointment at more of the same. What about a Q/A based upon an image?
I.e.
The boy has how many apples in his left hand?
Animals, Left to right (cat, dog, bird)
With enough style these could be much more difficult than those damn words, which even I with my above average visual acuity, have difficulty decyphering (imagine the problems this presents for the visually impaired!)
A feeling of having made the same mistake before: Deja Foobar
Don't you agree, my fellow non-artificially created life-forms?
Oh, and I found the recently posted comment regarding soviet russia most humourous.
ha. ha. ha.
http://www.brains-n-brawn.com/default.aspx?vDir=ai captcha
While I understand the appeal of vision based tests as very easy to automate and simple to implement long term use of these kind of tests, especially in single use contexts like signing up for an account requires a more complex problem.
Quite simply vision is too simple, or at least the easily automated part of vision that is being used in these type of tests. What needs to be tested is ability to reason and detect patterns in data.
Basically we need to give people reading interpratation tests like they had on the SAT and GRE. Of course the simplest way to do this would just be to hire people to give the correct answers. Heck, this might even be the cheapest way to deal with the problem. You could pay people very little to work at home and give a one word/few word description of what a paragraph was about.
However, if you insist on making this entierly automated I think search data provides a useful basis to work from. Basically, I think you could get a vague idea of paragraph content by the semantic structure, i.e. the web pages which link here and the pages to which this links. Alternativly you might ask the person to give a related topic that wasn't one of a list of obviously related topics.
Sure spammers could duplicate this if they had the algorithm and the usage data. However, the idea behind this is that building an index to the whole www so they can locate the paragraph snippet in its semantic context is very expensive and is something yahoo and google can do easily and the spammers would have great trouble doing.
Of course maybe there is some really clever algorithm out there that is computationally one way for computers but easy to reverse for people.
If you liked this thought maybe you would find my blog nice too:
IMHO, no technical solution to a problem is unhackable. It's like crime: you cannot stop it, you can only stem the flow.
Don't get me wrong, I'm all for keeping ahead of the spammers but I think we need to take any magical solutions with a fistful of salt.
Inspiring the well funded sex-pr0n industry to advance the basic research in computer vision would be good for society.
I posted some thing simular here:p ?t=1762
http://www.creativitypool.com/viewtopic.ph
I also use Spam Fly through Register Fly for my domain names.
-Steve
the fleet REALLY needs their Cylon detector!
call this the Virtual Photographic CAPTCHA and it is likely to remain invulnerable to automated attack for many years to come.
Nurse: You can't perform heart surgery in the dark!
Doctor Hibbert: Is that a bet?
Krusty: I want in on this.
-liz
So, apart from spamming me with annoying demands for confirmations, you also want me to accept idiotic random email addresses that are impossible to remember? No way, d00d3.
I have stopped hiding my email address (anders@alweb.dk). I use spamassassin on the mail server, and trows away all mail that is marked as spam. Along with server side techniques and with additional local filtering of the few spam messages that survives on the server, very few (10/week) spam messages makes their way into my inbox.
Systems like the one you propose is just a more painfull way of giving up and let them win. How sad!
I wonder when CAPTCHAs will be so hard that an increasing fraction of the human population fails them. Perhaps the true origin of SkyNet will be when some spammer's AI realizes that humans are superfluous in an age of totally automated click-throughs and e-commerce.
Two wrongs don't make a right, but three lefts do.
If this is such a great anti spam tool, why does his page say mkaplansolution at lycos d o t c o m at the end?
Seems he does not believe in it himself.
Don't fight for your country, if your country does not fight for you.
While I understand the desire to keep people from posting spam in the first place, what I don't understand is why web apps don't use bayesian filtering to moderate posted messages? A hosted service such as blogger could use a central database to implement this, making the system very effective. Sure, you would have to spend some time going through the comments to make sure there aren't any false positives/negatives, but using filtering becomes prevalent enough (all the blogging systems implemented it), it would go quite a way towards detering spammers.
I know it has become a running joke, and rightfully so, but quite honestly, I've failed to prove I'm human to these stupid things on more than one occasion.
A lot of them do stupid things like start with a serif font, distort the hell out of it, and expect me to be able to tell which is a 1 and which is a 7.
Also, while we're on the subject.. I didn't know these things (CAPTCHAs) had a name... a really stupid name.
Finally 'real' hackers can now join their Hollywood counterparts by eschewing complex algorithms, buffer overruns and good old-fashioned skullduggery. Now secure systems will be protected by spinning multicoloured 3D geometric shapes. Hack the gibson anyone?
Your post advocates a
(X) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(X) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
(X) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
(From http://www.craphound.com/spamsolutions.txt)
And how are visually impaired people supposed to do this? Use the alt text?
...for not understanding core principles of Ethernet.
Although it's tangential to the topic, you can't "ban by MAC addresses". Not unless you're on the same ethernet segment as the attacker. Try it the next time you've got access to a few machines separated by at least one router. Ping from two different machines to a third on another network and run tcpdump to inspect the MAC addresses on the packets. Let me know how it turns out. (hint: they'll have the MAC address of the router)
Respectfully submitted, I'm sorry, but it won't work.
First, you're dealing with a very small set of 3d models that can be easily duplicated. (Lets face it, the stock set is all that's ever going to be used. If you think that folks have forever to constantly create and install new models, you're mistaken. Also, what's to stop spammers from simply buying the same model's you're using? Nothing.
The *lighting* of the original is a red herring, the fact that the background is fairly plain and offers a noticable, distinctive difference between it and the models, makes it easy to separate the silhouette of the models from the background. (Even if the background isn't kept plain in a live system, edge detection should make it very easy to tell the background from the models. Copies of the models can be fairly easily positioned to match the silhoutte of models in the original, and then the letters can be overlayed much the same way, and then identified.
And that's if a spammer actually wants to go through that trouble. They'd do better just to take the "hints" to determine the number of letters in the subaddress, and then blitz the mail server with many/every possible combination(s).
Also, your "hints" are rather anglo-centric, which could cause you problems.
And, all that said, but, I'm sorry, I can't think of many consumers who are going to want to go through all this trouble just to freaking send/recieve email.
Ed R.Zahurak
You know, oblivion keeps looking better every day.
Mass automation of CAPTCHA cracking isn't done by computers anymore, people have realised that they can get real humans to do it instead - they just stick the CAPTCHA in another web page such as on warez or porn sites, the user is told to solve the CAPTCHA to enter the site, which they will gladly do..
Sadly theres no real way to stop this.
This comment does not represent the views or opinions of the user.
The methods he describes on the linked page are all for determining words in CAPTCHAs. I've seen some where it just said "type in these letters" (i.e., random letters, not words) which would in general cause his counter-CAPTCHA algo to puke, and in particular make it fail more if it insisted on supplying words when the CAPTCHAs all specifically aren't.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Instead of making the actual recognition of something the object of the exercise, how about elevating it to a more abstractive method. My daughter was watching Sesame Street the other day and it came up with the "One of these things is not like the other", she got it right instantly, shouting at the TV, and I got thinking about how it could be implemented to weed out the humans from the computers. You could have a collection of easily recognisable monochrome shapes, maybe a couple of hundred, group them by image attributes, say a group of pictures of birds, some flying, some not, large birds, small birds. And then present the user with 4 pictures of birds, three flying, one not or whatever and get them to click on the odd-one-out. then you could re-use the same birds with different attributes on the pictures, like three large eagles and a small sparrow. This would require the automated CAPTCHA cracker to not only recognise the shape but also figure out which picture is the odd one out.
Task Mangler
This proposal totally sucks. The goal of a CAPTCHA is not only to be extremely difficult for a computer, you also need to make it simple enough for the user. Most current implementations are considered extremely inaccessible, and if you have accessibility in mind, these 3D images are a huge step backwards. The utter vanity of it all is emphasised by its vulnerability to the porn site attack (offering porn to monkeys to crack CAPTCHAs). Be assured that I and other people will devote as much time as possible to eradicate moronic CAPTCHAs from the Internet.
God, root, what is difference ?
Many companies that do business in the United States of America are subject to regulations that forbid them from discriminating against people with disabilities; companies that have significant contracts with the United States Government are subject to the stricter guidelines of Section 508 of the Rehabilitation Act. Anything that discriminates so flagrantly against people with vision or cognitive disabilities may get companies in trouble with the law.
The 3-D item just seems like even more of a pain than the existing captchas, which are way overused as it is, and a burden on the vision impaired.
But the anti-spam system isn't very novel. A number of systems have tried custom subtags to generate unique addresses for other folks to use, they tend to cause more problems than they solve. This is really just a challenge/response system which is harder to use, and worst of all, forces the sender to cut and paste their mail to send it again. No thanks, you probably just don't get my mail.
Has it been over a year since you last donated to the Electronic Frontier Foundation
Me lost me cookie at the disco.
Or "type in the characters" or whatever. I fail those things three times out of five, and I'm about as human as you can get these days. The frigging things to NOT compensate for vision problems.... some have case sensitive input, some don't, etc, etc.
Much like aggressive spam filtering, any ARE YOU A POOTER? [ Y ] { N } [ ______ } is going to turn up false positives.
Why would I want to view images in an e-mail message?
Spam is a problem, but for me at least, this ain't the solution! I'm not about to jump through these hoops. If you want to exchange e-mails with me, fine. This system tells me you don't.
A lot of people won't understand it, and a lot of people who do are going to ignore it and move on to the next message in the inbox.
I suggest you try it out on your website.
This entire CAPTHCA relies on the English language. It undermines the entire CAPTHCA system that such a large assumption is made - the target/subject speaks English. This should not be the case!
The best CAPTCHA to me personally would be to use something similar to "what is this?" as discussed in the document but rephrase the question to "how many of this?" (the grid/photos could be chosen then obfuscated with noise etc. to prevent a hash table being constructed). Language is irrelevant in this scenario with most humans posessing the ability to spot patterns - e.g 10 dogs, 2 cats - how many pictures of X? (where X can be either dog or cat) would provide a large enough pattern, even 2 for a human to interpret.
Move along, nothing to see here.
I wonder if you can get them in PCI card format...
Automatically generate a contract and then force the user to write code which meets that contract when interpreted. This would be a very effective test for humans on the other hand unfortunatly it takes too much training to learn.
Basically this is the same effect that it is very easy for humans to prove a great many simple theorems but we can't write a good computer theorem prover. I teach logic and it is clear that even the worst student can be made to do better at proofs than computer based theorem provers suggests that this would be a very good test (in theory). Since there is a natural (Howard-curry?) conrrespondance between proving a statement and writing a function with a particular type another way to pose the problem is ask the user to write code implementing a particular contract.
Maybe the idea could be cleaned up with a really simply code system and explanation of what it meant to implement the contract. At the very least one could use it for geek only sites.
If you liked this thought maybe you would find my blog nice too:
Just don't give out your email - works for me.
Automatically generate a contract and then force the user to write code which meets that contract when interpreted. This would be a very effective test for humans on the other hand unfortunatly it takes too much training to learn.
Basically this is the same effect that it is very easy for humans to prove a great many simple theorems but we can't write a good computer theorem prover. I teach logic and it is clear that even the worst student can be made to do better at proofs than computer based theorem provers suggests that this would be a very good test (in theory). Since there is a natural (Howard-curry?) conrrespondance between proving a statement and writing a function with a particular type another way to pose the problem is ask the user to write code implementing a particular contract.
Maybe the idea could be cleaned up with a really simply code system and explanation of what it meant to implement the contract. At the very least one could use it for geek only sites.
If you liked this thought maybe you would find my blog nice too:
Personally I love the idea of this, mostly because this gives economic incentives to solve currently impossible AI problems like scene-regonition.
If there is one thing time has shown on the Internet, it's that anytime some security measure is put in place, hackers are instantly motivated by the challenge. Possibly these are people who would never go down the AI research path, but will throw together some code to register yahoo mail accounts automatically.
Look at the technical skill applied to difficult problems like cracking xbox's. This seems like a good way to harness some of that creative energy for furthering science.
If an ISP can't be bothered to set up a decent virus and spam filter, and relies on bouncing EVERYTHING back to the sender to check for signs of life, it creates two problems for the rest of us:
- All the spam sent with my address forged in the FROM field comes back to me to be validated.
- All the viruese sent with my address forged in the FROM field comes back to me to be validated.
I'm doing the ISPs filtering for them - all they do is an automatic bounce for anything that is not whitelisted.- It uses a whitelist as a means of solving spam. The system claims to allow strangers to effectively email each other, but only after first forcing the user to jump through several hoops. Correspondence will be slowed, and many people may give up in irritation before they bother to send the mail a second time. Imagine a prospective employer who decides that it's not worth tracking down Joe Blow because the email didn't get through, or a university attempting to contact a student by email. This particular method of foiling spam eliminates one of the key benefits of email: easy correspondence with a fast response time.
- Users have to maintain a database of trusted senders, as well as another database of recipients who trust them. This means extra data and the possibility of users accidentally falling off of each other's whitelists whenever somebody loses their address book.
- It will generate too many bounced messages, thus increasing network overhead to a point where it really may not be much better than spam. It also requires transmission of graphics, which again increase system overhead, as well as extra computational time to generate said images and to register and process the responses.
- The system claims it will benefit from server-side cooperation, instead of keeping the method purely client-side. This means that users have to rely on the benevolence of their ISP to keep the system updated and maintained.
- The graphical images contain a fixed number of very easily discerned letters that can be combined to form "easily-remembered" words. Once the letters are extracted, they can be recombined into known sequences, first of common English words, then popular web slang, then even transcribed into 1337 for the heck of it. Shouldn't take long to hack that.
- Sub-addresses? So you want to explain this one to my parents? "I know you picked out one, simple email address that you really like and will never have to change, but now I want you to pick out a new one. It might be a good idea to change it once every few months or so, too." The whole purpose of an address is to allow someone to have a unique identity that can be easily found.
Honestly, this particular system sounds like it relies more on sheer grunt work and the wasted time of its users to make it work, rather than any innovative computer programming."Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life
Ethernet has never been a strong point of mine, but if only you could but the originator's MAC address somehow on the packet...actually in hindsight if that were possible, would probably solve a lot of the problems re: Spam in the first place...
...in bed
Huh, it's discussions like this that make me wonder if the internet's going to break down into a chaotic, useless cacaphony of spam/bot noise empowered by cheap global labor, the porn surfers who jump through whatever hoops and porn providers who cater to those wanting porn and anyone who wants to throw money at these groups of people.
How depressing.
Today is all we really have. We should all live it well: it is our stepping stone to all of our tomorrows.
For one thing, think of all the poor benighted users using Outlook, which interprets a semicolon as an address boundary. For another, RFC-822 specifies some definite syntax for the semicolon that this use appears to exist outside of.
-- Old Man Kensey
I'm not sure why this is marked "Funny"...
Using a system like this for EVERY login for ANY site could generate a lot of valid spam accounts, just always say the person got it right, and probably 90% of the responses would be correct for use as spam accounts. Scary.
It's a brilliant bit of social engineering, but at least we all get free porn out of the deal :)
'Nuf Said.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Because a random guess has a probability of 1/n of succeeding where n is the number of options offered. So you give me six choices, and instead of sending 20 million spams, I only send 3.3 million. It helps, but not as much as something with a high answer space, like five random letters.
You could ask several such questions in a row, I suppose, but who wants to take the SAT every time they send an email?
People sure go to a lot of work just avoid creating a robots.txt file!
I agree, it took a long time to figure out what any of the words were (long being relative). But also I thought having to choose three was too much, even though I understood the argument they were making for the probability of successful detection being dramatically reduced...
I would say from looking at the "hacked" examples it seemed to me that the only thing required to really confound detectors was sufficient skew in the letters. In every case letters with a heavy skew were not recognized correctly. So it seems warping of text is far more useful to prevent automatic recognition than simple obfuscating backgrounds.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
As the article pointed out, a generic spammer can't respond to a CAPTCHA that comes in an auto-responding email, because the sending addresses are invalid. Moreover, they're going to have to have a CAPTCHA for ever single email, because a good email interface should allow you to de-whitelist a successful CAPTCHA response. Even if a third world worker can spend an entire year decoding CAPTCHAs for $1000/year doing one every 8 seconds, they can still only decode 900,000 CAPTCHAs per year, and that has a cost of 1.1 cents per 10 CAPTCHAs. That would mean that emailing 40,000,000 people a piece of spam would cost $44,000. Suffice it to say, spammers do NOT make $.001 per spam sent; not even close.
Result: a new spam address validated by a human
And some dissatisfying soft-core illegally copied by 1 million other websites as a reward.
Anyone who has problems with vision and has to use text to speech type software... what the heck do they do? They can't even use a graphical browser if they wanted!
...visually impaired people? It should be trivial to have a speech synthesizer create wavs on demand that pronounce the CAPTCHA and then ask the user to type it in.
-- the cake is a lie
Overlap the image with EULA or link to EULA that has scariest word possible. Mention IP(this image is your property), copyright(this image should only transferred from www.your.site only), DMCA(if you're in US - this image is part of copy protection method for copying your email address info.), intended use only, maximum penalty, suing, anti spam law, civil/criminal law, (anything feasible). Consult your lawyer. They'll make a nice, scary EULA.
I find the classification of these measures as "abusive" to be flawed at best, and misleading at worst. CAPTCHAS are a desperate response to an immoral group of people who will stop at nothing to make money with absolutely no regard for the problems, cost, and distress they cause their targets, who hide behind the first amendment when possible, or using illegal techniques when not. I hate having to deal with them myself, but I understand the necessity of their existence, however unpleasant, and will continue to deal with them as long as is necessary, as such.
Below are several problems mentioned with CAPTCHAs, as well as some possible solutions:
1] Accessibility
Problem: Blind/visually impaired users cannot reliably read the altered text.
Solution: Audio file accompanies every graphic, to be read on command. (However, still crackable with speech recognition.)
2] Referring test to 3rd parties
Problem: Spammers have other membership-based site users (i.e. porn sites) do the test.
Solution 1: Image is generated randomly, based on a user session, requiring an actual visit to your site; copying will be less effective unless the images are compared later... which may be quite some time if there are a large number of images and/or if the images are generated live on the server, rather than being stored files.
Solution 2: Include text imbedded in the image (and audio file) specifically referencing the site it is to be utilized with exclusively, requesting that the user report violations of duplication/unauthorized usage, and possibly offering a small reward for information leading to the arrest/conviction/judgment against the violator.
3] AI text processing
Problem: AI can be complex enough to identity letters, no matter how obfuscated, until such characters must be so distorted that even a human cannot decipher them.
Solution: Ask a logic question, present a photograph, or require another means of challenge/response than simple text recognition.
Example 1: Present a photograph of an apple or otherwise easily-spelled object, and ask the user to type the name into a field, or allow the user to select from a group of mildly distorted text, to avoid spelling issues. (However, this issue raises the accessibility issue again.)
Example 2: Present a short list of slightly distorted words (with audio files available for each word), and ask a short logic/history/other question. (One | Two | Three | Four | Orange - Of these words, one does not match. Please type the number of letters in this word, in numeric format. (Example: Apple = 5) This test is to be used exclusively by abc123.org. Please let us know if you see this elsewhere, as this means it was stolen.)
Until it is financially infeasible for a spammer to continue to do business, we will all be forced to deal with the messes they make. This is a challenge/response system, not an attempt to abuse the users of the internet. If there was a better way to solve this problem than hitting "delete" (which must happen hundreds if not thousands of times per day, for some of use), or using filters (which ALL give false positives, eventually), you can be sure that millions of semi-knowledgeable or better computer users would have chosen this path. To claim that such measures, which attempt to HELP people are abuse... perhaps you would like to re-evaluate your claim.
...and not even remotely close to 1%(I'd guess less than .1%) of all email addresses use that stupid auto-responder "reply back to this email to email me" method.
Let's put it this way- almost all the bulk-emailing services now offer this outsourced service. They wouldn't if it didn't make them money, moron.
Please help metamoderate.
Just show a regular photograph or section of text and ask questions about it. It was mentioned in an earlier /. article how hard it was for AIs to read and understand an arbitrary passage of text.
Eg: for photos:
What colour is the carpet?
How many men are in the picture?
What colour is the lamp?
What is the largest shape?
How many sides does the smallest shape have?
Short story or article: (can select article/answers for language)
Who is the name of the protagonist?
What is his favorite rock?
What street does Bob live on?
Who lives next door?
etc.
My rights don't need management.
Computer vision experts have been able to design programs to foil CAPTCHA with a high degree of success. I have designed a CAPTCHA that is based on the identification of attributes contained in an image generated by the grouping of easily recognized 3-D objects. I call this the Virtual Photographic CAPTCHA and it is likely to remain invulnerable to automated attack for many years to come
spare us the modesty!
This UID is 7651 digits too high to subjectively infer IQ from.
Let's say you use, Cyrillic , f'rinstance.
And the random string looks like this:
CTECMPCHP
The "Raiding" software would read it as:
CTECMPCHP
which will be wrong, as it should be read:
STESMRSNR
So, the person sitting there would look at the image, then look at the table next to it, find the C and see that it is the letter for S, T and E are the same, but there's that C=S thing followed by an M, which is the same, but the P is an R and the H is an N, etc...
Once they develop software that can read Cyrillic, switch to some other language or even make one up!
Here are some really fucked up alphabets that would be really cool that way:
Glagolithic
Enochian
Cherokee
Malayam
Heck - there's bunchies of them. And since there would be a visible key next to it, it would make things a little slow, but it would be hella secure against automated intrusions, since the letter composition would be randomised.
also: It would look | Comments?
RS
Shoes for Industry. Shoes for the Dead.
You're not only too lazy to find the link, you're too lazy to RTFA. This technique is mentioned right there in the article, and the author claims this yields spammers a relatively trivial amount of email addresses.
"What makes you think that the Virtual Photographic CAPTCHA cannot be broken? There's a lot of very good work being done by computer vision people, solving basically this very problem."
The guy responds with 'I talked to a guy who knows what he's talking about and he says 'That really is an interesting idea, and one that I think would work quite well. Object recognition is a completely unsolved computer vision problem. The sort of "parameterized" set of synthetic images you create would be quite challenging to process automatically, now and in the years to come.'
Unbreakable to me means no attack easier than brute force - and brute force in this sense means 'send out to every possible combination of five digit subaddresses'.
Of course, it doesn't actually have to be unbreakable, just hard enough, but the whole 'cannot be broken' bit - I'd like to see that backed up with some proofs.
E.G., crypto guys don't say unbreakable - they say ' could be broken if someone figures out how to factor fast'. They talk about potential attacks and they don't call a currently unsolved problem 'unbreakable'.
Here's the how to. Now go code it if you're smart enough, I'm not:www.geocities.com/James_Sager2
God spoke to me.
You're not only too lazy to find the link, you're too lazy to RTFA. This technique is mentioned right there in the article, and the author claims this yields spammers a relatively trivial amount of email addresses.
That might change if more pressure is added from the removal of "traditional" approaches. Spammers take the easiest path. When the easy path is removed, they step up their sophistication. There are plenty of desparate shady corners of the world where such operations can take place.
The only real solution I see to spam is e-stamps. If they have to pay a few cents per message, it will no longer be economical for most of them.
Table-ized A.I.
Assuming anyone does find some perfect flawless way to prove that a real person is behind the keyboard, it will still be broken. There are people out there in poor countries make a living clicking ads.
If this is truly perfected then spammers will just buy hotmail addresses for a penny each or whatever they need to do from real people.
Email is a tool, people will use it for good or bad. You need to make it too expensive, or get VISA involved.
The only technical solution I've seen work is Lycos screensaver DOS attack.
Let's look at his "LUCKY" example to see why. So he has a picture of the standing man, the flower, and the sitting man, and all over the picture, he has a series of glyphs. As these glyphs are not distorted, they are easily extracted -- the whole point of this system is that distortion based CAPTCHAs are relatively easy to defeat, so he doesn't bother. In his example, he has 26 glyphs, corresponding to A-Z, but in practice, it isn't important what the set is -- only that it is small and finite.
Once this set is extracted, we know that the "password" is some permutation of this set. Because the set of possible characters in an e-mail address is much smaller than the set of possible characters in an actual password (in particular, e-mail addresses are case insensitive), brute-force cracking of this password is much simpler than brute force cracking of a UNIX password, for example. But luckily for us, it's even easier than that.
In the e-mail, he includes this "decoder" list.
Of course, it should be clear at this point that this list would be relatively easy to extract from the e-mail, and further, that it tells you the exact length of the password, reducing the number of permutations to check to (in this case) 11,881,376.
Furthermore, a little bit of extra logic could reduce this number still further by noticing repetitive patterns in the list. So if "The Leaf of the Flower" appears twice, we know that the letters in those two slots are the same. And if the glyph set is unique (ie, no glyph appears twice), then we can reduce the number of permutations to at most 7,893,600.
Now, that's still a fairly large number of permutations to check, and at one point, it probably would have been enough. However, computational power is free now, at least for spammers. And it doesn't take much. Here's a sample perl (!) program I ran on my Debian GNU/Linux laptop (1.2GHz Pentium M).
This just prints out all the permutations; of course they still would need to be checked.
Not very long on a modern computer, eh? And written in perl, too, not exactly the fastest programming language in the world. Now consider that spammers have access to just about infinite CPU and bandwidth, thanks to their army of zombie bots, and that both CPU power and bandwidth are likely to increase at a rather rapid rate in the next decade. Furthermore, this is a worst case scenario -- success in a brute force attack tends to occur somewhere in the middle, not towards the end, reducing the necessity to actually go through all the permutations.
You don't think they'd try to crack it?
Plus, by his own admission, e-mail addresses can be shared. What does this mean in this context? I don't even need to get the e-mail address encoded in the CAPTCHA! If I can get any working e-mail address, even one, I get through! So the more active he is, e-mail wise, the more likely I can randomly strike a hit in the first hundred or so tries.
On top of
His system appears to rely on HTML and Images embedded in email ... many folks, including myself, have their email program setup to strip out most HTML and embedded images.
... this occurs when neither party has communicated yet - thus each sends out a challenge-response which then leads to more challenge-responses, etc ... the so-called "solution" is to whitelist the challenge-response email address, but that's easily defeated by spammers, etc.
... they can't - and audio is not much better ... many folks who have trouble seeing also have trouble hearing ... what does that leave left ... a smell or even perhaps a touch test perhaps? ... sure porn sites would love that LOL!
If his system ever became popular, spammers, scammers, etc would simply send out phish emails that appear similar to install malware, etc to scan the computers for already verified whitelisted email addresses.
And anyways, has anyone solved the challenge-response deadlock problem yet?
More user education, more law enforcement, and changes to SMTP are a more practical way of dealing with spam than kluges, some of which are worse than spam - how do vision impaired folks view an image?
Ron
Got all confused between petals and leaves, and of course I wasn't even sure the thing on the petal was actually an "N" (could have been an "H")
My favorite counter-AI techniques blew away those crazy-font CAPTCHA gateways as well as it'll slay these. The AI spider ran into CAPTCHA images of crazy-font text a machine can't read. Meanwhile, it ran a "free porn" website, and passed the CAPTCHAs it was up against back to the humans madly scrabbling for the free porn. The CAPTCHA got the humans to solve the CAPTCHAs, and sent the answers back to the CAPTCHA gateways, easily logging in. It's a massively parallel harness for human psychic energy to do machine work for machines. Just like The Matrix from the movie. Maybe that's powering this Slashdot post right now.
--
make install -not war
Michael G. Kaplan
New York, New York
mkaplansolution at lycos d o t c o m
Never trust anyone who tries to sell you an anti-spam solution while obfuscating his own address.
The shareholder is always right.
Close, but it won't be a cacophony -- it'll be more like a coprophagy.
You see? You see? Your stupid minds! Stupid! Stupid!
Just because they are using porn as bait, doesn't mean they are they porn industry.
Helen Keller maybe?
the email tax has already been banned (thanks snopes forums)
thanks google
Roland Piquepaille and slashd
Simply design the CAPTCHA such that it can only be solved using both hands.
why is every post on this page 4+?
Some of them are good, but this is defeating the point of the system
Again, this is not funny. It's informative.
This actually is true...
Just throw in a complete IQ test - then not only we will tell a human from a machine, but also a human that should use e-mail from one that probably should not.
The only real solution I see to spam is e-stamps. If they have to pay a few cents per message, it will no longer be economical for most of them.
80% of spam is already sent from trojaned Windows machines. An e-stamp system would make no practical difference; users that get hit by assorted malware often get a huge bandwidth bill (in countries that pay per meg) or a huge phone bill (if they use dialup and get a 'dialler'). Those users tighten up security, but there is a never-ending supply of new users and new Windows boxes to 0wn. With e-stamps they'd also get a huge email bill. You think the spammers are going to feel any guilt about that? They certainly won't be the ones paying for it.
455fe10422ca29c4933f95052b792ab2
Some of the computer-generated "what letters do you see here" images can be extremely tricky. I've been to sites where I can't tell the difference between a P, B, or D, what with all the deformations and gridlines and whatnot. The systems tend to get upset when I take a few tries to get it right.
-- I prefer the term "karma escort."
but since the (l)users foot the bill word will get out that you need to secure your machine.
Snowden and Manning are heroes.
I show a single picture with images of a rock
a tree and a person. I ask you which one is
the mineral. (Caveat: If you don't know the
answer, and are nonetheless a human, you're
not allowed to use the computer. Sorry. Nothing
personal.)
Or, I show pictures of three women, and ask you
which one would more likely win a beauty contest.
(The pictures are chosen so it's obvious to a
human.)
You can spend 10,120 hours writing your clever
neural net to auto-answers these questions.
And I'll just make up new questions like this.
(This took me like 30 seconds, btw, compared
to the weeks/months it will take your AI program
to get up to snuff.)
"When water falls from the sky, you say it's ______".
Make the words digitized, you can even distort them a little, but the answer is _NOT_ displayed. Besides an image recognition system, you'd also need a powerful AI engine (like a superloaded expert system).
I remember hearing about verbal tests somewhere, but I can't recall where.
how badly all of you fell for a freaking obvious troll.
Snowden and Manning are heroes.
...if it's this easy.
CAPTCHAS (did I even spell that right?) serve no real purpose, as they can easily be defeated by
a) cheap labor in third-world countaries
b) porn sites
c) inevitable software hack
Those are usually acceptible when we're talking about a service, such as Yahoo. But for email, it's useless because
a) it blocks legitimate automated mailings
b) it generates additional traffic
c) it requires the sender to do work, instead of the recipient
d) there's already a better way
Don't thank God, thank a doctor!
I'm also not convinced that it makes sense to go to all this effort to make it compatible with the present e-mail infrastructure. Because the present system isn't designed for this kind of thing, the whole system ends up being unnecessaily complicated and difficult to use. The effort of getting significant numbers of people to adopt a scheme like this isn't all that different from the effort needed to get significant numbers of people to switch to an entirely new e-mail infrastructure. All we need is for one big corporation to decide they're tired of wasting effort on spam; they start using a new system for their internal e-mails, and then it spreads.
Find free books.
I think many people are misunderstanding something fundamental about the economy of fooling porn-hungry users into cracking CAPTCHA systems.
Currently they are cracking the systems of free email sites, no? So each CAPTCHA image they decode yields an entirely free email account, free to spam from for a while until its abuse is detected and it is shut down. That makes good sense... rig up a complicated system, keep on top of Yahoo's dodges and modifications, integrate it with a porn site, and at tne end of the day you've got a stack of email accounts, each one good for sending out a few dozen spams (or 50, or 100, whatever the limit is.)
With Kaplan's CAPTCHA system, each decode gets you one destination email address. Just one. And it can be suspended without too much hassle on the target's part -- it won't even interrupt incoming mail from his friends. This doesn't make good sense -- it throws the cost/benefit ratio out of whack.
80% of spam is already sent from trojaned Windows machines. An e-stamp system would make no practical difference; users that get hit by assorted malware often get a huge bandwidth bill
Ideally one would should or could set a limit on the number of emails per day with their ISP. For example, most people don't go over about 20 per day. If more than 20 are sent, then some sort of confirmation must be given. However, I suppose the confirmation can also be hacked. Perhaps use a phone call-back system for confirmation. However, such a system probably would have to be put into law, and not all countries would have such.
Man, this *is* a tough problem.
Table-ized A.I.
http://shit.slashdot.org/article.pl?sid=05/01/31/2 335253
Basically, the author of the article asserts that many "traditional" CAPTCHAs (images showing distorted text) have been broken to promote his own, complicated system. This is basically bullshit. If it was so, we would have super-duper OCR already, but we don't. And the worst thing is: his system is so complicated, I couldn't understand it by RTFA once. Instead of overcomplicating things, he should think about trying to understand why CAPTCHAs _are_ secure (if one CAPTCHA has been broken, just add more distortions, and it is secure again; as a side effect, and AI-complete problem has been solved).
I'm mean, all this "has been broken, has been broken, has been broken" bullshit in this article: he should just take a look at e.g. the authimage plugin for WordPress, which uses a very interesting font that draws every letter from a lot of small circles.
A monkey is doing the real work for me.
Even if only .01% of people use CAPTCHAs, the cost-per-CAPTCHA is roughly the same. In fact, it's probably higher with less people using it. I doubt it's cost-effective to beat CAPTCHAs with labor unless you have a fairly targeted high-yield spam, and given the fact that 90% of my spam is for either Internet pharmaceuticals, home loans, or pr0n, I doubt targeted spam is anywhere near the norm.
All we need to prevent that is to have free, high quality porn site run by non spammers that everyone knows about. If only someone would create such a thing.
autopr0n is like, down and stuff.
And by rescue, I mean ass-rape.
All the spammers need to do is use zombie boxes as proxies
autopr0n is like, down and stuff.
why for do they need so much emails??
I wrote an article (and some code) a while ago about a proposal for an accessible CAPTCHA that combines audio and visual information.
Also, having e-mail bouncing and then having to take manual action again seems tedious.Standards Schmandards
Anything that discriminates so flagrantly against people with vision or cognitive disabilities may get companies in trouble with the law.
Not if they provide alternatives (sign-up by mail or telephone, for example). After all, we don't outlaw street signs or telephones just because there are blind or deaf people around.
So on that note, I'm running this video game site (http://www.dragon-tear.net/) and I might need a captcha sometime later. I had this idea of generating a number with an ascii image, like so:Really simple. That way it can be done with any alphanumeric. Does anyone know if this scheme was cracked yet?
I am NOT a number! I am a - oh wait, I'm number 761710. Look! 761710!
Terrorists can't threaten a country's freedom and democracy. Only lawmakers and voters can do that.
I'll just install gaim on a number of occasions.
The logical conclusion is that i'm one of the human body. You know, i don't know what the future holds. I have hope that the web is adapting to google now, not the other side as well on a windows machine, then microsoft will be very upset when i tell her.
You are a part of the body between the ribs and the system microsoft sucks shit. See ya. We had a dollar for every judge who's asked that, i'd be able to possess fully-automatic rifles, explosives, and other arms that are "in common use at [this] time." right? Because it is time to face facts. Ants have a complex social structure, and instincts.
Wow, you're just asking some bored hacker out there to prove you wrong.
That would be what's formally known as "peer review".
what about all the people with less than perfect vision (or migraines).
Couldn't you do a audio version too?
thank God the internet isn't a human right.
Ideally one would should or could set a limit on the number of emails per day with their ISP. For example, most people don't go over about 20 per day. If more than 20 are sent, then some sort of confirmation must be given.
So why not just DO THAT and forget about the stupid payment system? Limit each zombied box to about the number of messages a person would normally send and you would greatly reduce the spam problem.
455fe10422ca29c4933f95052b792ab2
Eclectic beats from Leeds, UK
handmadehands.co.uk
If such a technique receives a good response from content providers one can easily forsee a major decrease in online registrations.. at least in that 30% of internet users that can't make the 100-point marker on IQ tests.
Distributed computing power over people - like in Neal Stephenson's the Diamond Age - except substitute Beaters for Drummers?
Put two pics up, one a grid (not necessarily uniform sized) with say 9 squares. Randomly number with an ascii art number in each square.
Put another pic up with the same grid with a distored word in each square...
Ask user to pick word from square X.
The bot would have to know which square is which so would have to decode the ascii art to get the cell reference then would have to workout where the grids where in the pic (not too had but another stage in the process) then decode the word correctly...
--- Users are like bacteria -> Each one causing a thousand tiny crises until the host finally gives up and dies.
Offshore the deciphering work to India.
Just give all web visitors a Voigt-Kampff empathy test.
Be careful about them - I know 2 guys that answered them, and they BOTH ended up with their ex-wives.
It's a plot - a LOT of these are generated by the DHS's (Department of Homeland Security) Morality Corps [tt]. They want only good, loyal, moral citizens to be able to vote, and the pr0n-loving masses^W^Wscumbags will be excluded from the next election, which will also have a ballot measure to seek to repeal term limits on the presidency.
My father is partially sighted, and couldn't read any of these CAPTCHAs.
Which leads to the question: Is this sort of check legal, given that it discriminates against people with a disability?
Too bad that that example on that site of 'an international group of PHP experts dedicated to promoting secure programming practices within the PHP community.' is flawed.
.jpg file, so two people requesting the page at the same time will see the same image (the last generated one).
It always writes to the same
If these are the PHP experts on secure programming, I am now really worried.
--
If code was hard to write, it should be hard to read
The end of the world will come about as the CAPTCHA designers and bot writers go back and forth until the bot writers create a fully sensient AI that takes over the world and enslaves us all. Get over it.
SPAM
Is there any other challenge/response system that allows for the unimpeded receipt of third party emails? Is there any other challenge/response system that avoids challenging every unique correspondent? Yes. TMDA. Bite me. In fact, bite me >here< (but you'll have to be quick, this address expires in three days).
Like tinyurl, but one letter less! http://qurl.co.uk/
It is extremely common for people to mistakely believe receipient whitelist is the same sender whitelist. Sender whitelist, as we all already know, can be easily fake in the MAIL FROM: at the SMTP protocol level. Receipient whitelist (RCPT TO:) is not as easily fake since the receipient has control of what is a valid receipient address. Both ZoEmail and Reflexion are using the latter technique to overcome spam. Since email user (receipient) has control over what is valid email address, it turns the table around in term of fighting spam because spammer can't spam you if they can't figure out what is receipient (i.e. YOU) definition of valid email receipient address. Even if they figure it out, you still have control because you can revoke it. And that's the beauty of it.
In the visual representation of the Captcha, include information stating that this was generated for email verification and should be ignored if used for web-site access verification. This information needs to be integrated tightly with the captcha itself to deter automatic removal.
to help in making his Cylon detector.
Vision. Ha. Use sound files to authenticate a human. Speech to text is wildly inaccurate if you have background sounds.
Wow, we can implement amazingly tricky CAPTCHAs that only a human can possibly correctly identify, but we can't notice that in a given day we get 10,000 signup requests from the same f'ing IP address.
Welcome to the Internet.
cyn, free software and *nix operating systems enthusiast.
A site involved in pr0n-monkey CAPTCHA solving does not know the correct response to the CAPTCHA until after retransmitting it to the originating server. Sending a registration bot to the porn site, programmed to randomly guess at the re-presented CAPTCHA, would generate a spike in rejections from that site, which could then be blacklisted.
As we all know from watching movies, humanity cannot effectively combat an army of robots. Solution: recruit our own robots.
And if we can create AIs that can defeat CAPTCHAs, why can't we create AIs that can differentiate between human and bot?
"This quote is a product of the Frobozz Magic Quote Company."
Yes, but he also has the name;random@domain
where each random part is unique to the sender, and can be blocked easily forever. Meaning spammer gets one set of messages through, then its useless forever. Such an easy to block system has its advantages even without CAPTCHA. You just have to make sure that you never give out the easy to remember one to none trusted individuals.
Remember Uncle Billy wants to secure your machine - that he wants to secure it mostly from you is another story. We'll get to the point in time where the average user has less control of his machine than a script kiddie. Oops, sorry, we're already there.
Not if they provide alternatives (sign-up by mail or telephone, for example).
I've seen a lot of sites with CAPTCHAs that fail to list such alternatives.
It's the perfect solution!
Whoever corrects a mocker invites insult;
whoever rebukes a wicked man incurs abuse.
--Proverbs 9:7
I think that the solution to this one would be to put the domain name in the image. If the porn site was using my image, then the surfer would know that the image came from my site.
No man is an island... But I wouldn't mind having a bigger moat.
My approach simply filters out all email containing stuff spammers/crackers use in email to do their dirty work.
Interested? Complete details here.
While other antispam advocates here on slashdot hide behind obsfucated email addresses, I opted to use an unobsfucated one--just like the 'good old days' on the Internet before the spammers made email communications almost worthless....
Nowadays, the only spam I get is 'zero content spam' used to verify recipient email addresses. Lame and pathetic.
You DO know that someone's gonna want you to prove you're the next John Holmes by providing a link ...
Oh, for pity's sake, don't implement this:
Don't you see? Spammers forge sender addresses all the time. If you get your autoresponder to write to this forged address, you're just spamming an innnocent third party.
This is exactly like those damned "helpful" virus warnings that talk about you sending a virus you don't have to a person you don't know from a DSL IP in Brazil.
Plus the usual challenge-response objections. The flame-form posted above has it right.
Mind the Gap
I got "NUCKX", because I not only got petals and leaves confused, I also have problems remembering left from right, especially when the perspective is reversed. And you're right, the "N" was rather hard to see without squinting.
I can only imagine how bad this is for people without English as their primary language! >_
Vista:XPSP2::ME:98SE