Slashdot Mirror
Making CAPTCHAs Even Harder With 3-D Models
Michael G. Kaplan writes "CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) are commonly used to prevent computers from filling out web forms. Computer vision experts have been able to design programs to foil CAPTCHA with a high degree of success. I have designed a CAPTCHA that is based on the identification of attributes contained in an image generated by the grouping of easily recognized 3-D objects. I call this the Virtual Photographic CAPTCHA and it is likely to remain invulnerable to automated attack for many years to come. A novel anti-spam system necessitated its development."
Awhile back on Slashdot (I'm too lazy to find the link) there was an article on Captcha's being attacked by Spammers who would set up a porno site requiring user registration using, the Captcha in mind to crack, then forwarding the results to the anti-captcha bot.
Vision-recognition systems be dammed, all a spammer needs to do is use the inherent need of apparently most of the male race to look at pictures of naked women to get what he needs. I don't know if a counter was ever found to this method either...
...in bed
http://www.brains-n-brawn.com/default.aspx?vDir=ai captcha
The developer of an automated breaking bot explains how he did it.
Sigs? Sigs? We don't need no steenkin' sigs.
I was doing a whois with one of the forms the other day and was unable to pass the test. there were thick lines over the text and it was sloppy cursivish text I was supposed to identify.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
The federal government is considering outlawing this abusive practise. I met with a senator from SC and another from GA in the past month wrt this issue. They, like most people I know, hate it, and hate the artificial barrier it creates for Internet usage.
I work at a school for the deaf and blind, and captcha's make it impossible for the blind or many of the vision impaired to do many things on the Internet without having help from someone with good vision. Even I, with my cheap LCD monitor and 73 year-old eyes, have trouble reading the Yahoo ones.
In the images from the harder version of Gimpy, http://www.cs.berkeley.edu/~mori/gimpy/hard/, the grey colour of the text is distinctly darker wherever two letters intersect (eg. where the "o" and "s" intersect in "long" and "sharp" in the upper right corner of the first image).
Now, I'm not suggesting that it is easy for a computer the read these words; but, wouldn't this darker text colour make it easier for a learning algorithm to "dissect" two letters that intersect slightly?
I can't imagine that recognizing the letters without the darker intersections would be much harder for people, but I can see the darker intersections being an advantage for computers. Why not remove them?
Use handwritten challenges and let the spammers solve the handwriting recognition problem for us.
That's what I thought this was going to be about. Imagine my disappointment at more of the same. What about a Q/A based upon an image?
I.e.
The boy has how many apples in his left hand?
Animals, Left to right (cat, dog, bird)
With enough style these could be much more difficult than those damn words, which even I with my above average visual acuity, have difficulty decyphering (imagine the problems this presents for the visually impaired!)
A feeling of having made the same mistake before: Deja Foobar
I know this is mostly a joke, but to a large degree it's true. I've seen captchas implemented in blogs for comment posting, and it seems like such overkill. My group-blog has implemented a very simple password scheme to prevent comment spammers. Initially, the thought was to use a captcha, until we realized it would suck to use on our Treos or other cell phones. Then we considered listing the solution in text so that any human could read it. Since it would be a home-grown solution, comment spammers would not be effective since it wouldn't be worth the effort to defeat it.
In the end, my co-blogger required a password to post a comment, and the password never changes; this way, MT remembers us and we never have to re-type it. Even if we wrote the password in big, bold type above every entry (we don't, as we're a mostly stealth blog), I doubt we'd get any comment spam. We only implemented this a few months ago when comment spam rapidly went from once-a-month to twice-a-day (and looking to get much worse).
In the end, it's a simple, elegant solution to the problem of comment spamming in personal blogs. And it doesn't require any processing power either (unlike some blacklists, which nearly killed our server due to some quirks).
And how are visually impaired people supposed to do this? Use the alt text?
Instead of making the actual recognition of something the object of the exercise, how about elevating it to a more abstractive method. My daughter was watching Sesame Street the other day and it came up with the "One of these things is not like the other", she got it right instantly, shouting at the TV, and I got thinking about how it could be implemented to weed out the humans from the computers. You could have a collection of easily recognisable monochrome shapes, maybe a couple of hundred, group them by image attributes, say a group of pictures of birds, some flying, some not, large birds, small birds. And then present the user with 4 pictures of birds, three flying, one not or whatever and get them to click on the odd-one-out. then you could re-use the same birds with different attributes on the pictures, like three large eagles and a small sparrow. This would require the automated CAPTCHA cracker to not only recognise the shape but also figure out which picture is the odd one out.
Task Mangler
Huh, it's discussions like this that make me wonder if the internet's going to break down into a chaotic, useless cacaphony of spam/bot noise empowered by cheap global labor, the porn surfers who jump through whatever hoops and porn providers who cater to those wanting porn and anyone who wants to throw money at these groups of people.
How depressing.
Today is all we really have. We should all live it well: it is our stepping stone to all of our tomorrows.
I find the classification of these measures as "abusive" to be flawed at best, and misleading at worst. CAPTCHAS are a desperate response to an immoral group of people who will stop at nothing to make money with absolutely no regard for the problems, cost, and distress they cause their targets, who hide behind the first amendment when possible, or using illegal techniques when not. I hate having to deal with them myself, but I understand the necessity of their existence, however unpleasant, and will continue to deal with them as long as is necessary, as such.
Below are several problems mentioned with CAPTCHAs, as well as some possible solutions:
1] Accessibility
Problem: Blind/visually impaired users cannot reliably read the altered text.
Solution: Audio file accompanies every graphic, to be read on command. (However, still crackable with speech recognition.)
2] Referring test to 3rd parties
Problem: Spammers have other membership-based site users (i.e. porn sites) do the test.
Solution 1: Image is generated randomly, based on a user session, requiring an actual visit to your site; copying will be less effective unless the images are compared later... which may be quite some time if there are a large number of images and/or if the images are generated live on the server, rather than being stored files.
Solution 2: Include text imbedded in the image (and audio file) specifically referencing the site it is to be utilized with exclusively, requesting that the user report violations of duplication/unauthorized usage, and possibly offering a small reward for information leading to the arrest/conviction/judgment against the violator.
3] AI text processing
Problem: AI can be complex enough to identity letters, no matter how obfuscated, until such characters must be so distorted that even a human cannot decipher them.
Solution: Ask a logic question, present a photograph, or require another means of challenge/response than simple text recognition.
Example 1: Present a photograph of an apple or otherwise easily-spelled object, and ask the user to type the name into a field, or allow the user to select from a group of mildly distorted text, to avoid spelling issues. (However, this issue raises the accessibility issue again.)
Example 2: Present a short list of slightly distorted words (with audio files available for each word), and ask a short logic/history/other question. (One | Two | Three | Four | Orange - Of these words, one does not match. Please type the number of letters in this word, in numeric format. (Example: Apple = 5) This test is to be used exclusively by abc123.org. Please let us know if you see this elsewhere, as this means it was stolen.)
Until it is financially infeasible for a spammer to continue to do business, we will all be forced to deal with the messes they make. This is a challenge/response system, not an attempt to abuse the users of the internet. If there was a better way to solve this problem than hitting "delete" (which must happen hundreds if not thousands of times per day, for some of use), or using filters (which ALL give false positives, eventually), you can be sure that millions of semi-knowledgeable or better computer users would have chosen this path. To claim that such measures, which attempt to HELP people are abuse... perhaps you would like to re-evaluate your claim.
Most of your points just aren't valid, and are addressed in the article. While this isn't the most user-friendly system ever, there will never be an "easy for everyone and their grandmother" solution to spam, so learn to compromise a bit. In theory atleast, this system is pretty damn solid. As for your complaints:
1. If you emailed an employer your resume, he would automatically be whitelisted. His reply would go through to your inbox, and he would be sent a valid subaddress in plaintext that could be automatically added to his mail client should he wish to contact you further. If he was first to initiate contact, then he would have to decode 1 CAPTCHA after which communication would be seemless. Hardly timeconsuming, especially since the bounce for the CAPTCHA would come to him right after he sent the first email. In the case of a university, it would be trivial for you to have a rule allowing all mail from a given domain. You certainly wouldn't want this for aol.com but I have no problem whitelisting any address@schoolIgoto.edu
2. Users, so to speak, don't have to maintain anything, their mail clients do. Current spam filters maintain a database of spam to perform bayesian analysis, which is more massive than a database of contacts.
3. The system will generate 1 (or maybe a few) bounces for initial correspondence between new users. This is nothing compared to the volume of wasted traffic due to spam. Furthermore, how many times do you send email to someone you've never mailed before. The 1 bounce to obtain a trusted method of communication seems worth it to me.
4. The system does not rely on both ISPs, however simply would be more efficient if the sending ISP is in the know. That way the addition of a trusted subaddress can be even more automated, but this is not neccesary.
5. The subaddresses are not suggested to be easily rememberable, but rather random. They will be stored by your mail client, and it is not really important for you to remember once you have decoded it the first time.
6. Your parents never have to know about subaddresses to recieve email. They can give out their address as before. When people email them, the bounce will be sent and all the contacts will establish subaddresses, without your parents ever realizing what happened.
Most of these "burdens" you bring up would be handled by software and would not be placed on the end user. You should read the webpage as all these things are pretty clearly explained.
Moderation Totals: Flamebait=2, Troll=1, Redundant=1, Insightful=6, Overrated=1, Underrated=1, Total=12. (not mine)
I was waiting for this, because I wanted to see how you'd attack his idea. It seemed reasonable...Here are my possible defenses.
(X) Mailing lists and other legitimate email uses would be affected
You shouldn't sign up for the mailing list with your non-subaddress account.
(X) Users of email will not put up with it
Why? It should be automatic. If done on a massive scale (de-facto industry standard), people can believe that it'll take two weeks to convert, and then spam will be gone. They will put up with it.
(X) Many email users cannot afford to lose business or alienate potential employers
If this is done on a large scale, everyone will expect it as commonplace. Many e-mail users cannot afford to have legitimate business buried under Nigerian spam (either in an unfiltered inbox or thanks to an overzealous filter).
Specifically, your plan fails to account for nothing. That's a good sign. Maybe the Slashdot groupthink can suggest improvements?
(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
Where? The only impracticality is forcing large-scale adoption. That is a problem. In particular, I don't think his ideas on "partially-locked" addresses and such have been seen before.
(X) Whitelists suck
Why? They're not mandatory. Few people will use them. For example, I'd use them, but only as much as I have a "whitelist" to redirect some e-mail to my cell phone. This is e-mail I'd want to get immediately.
(X) Temporary/one-time email addresses are cumbersome
They aren't temporary. For each person, they should be permanent. I should be able to e-mail myfriend;a2b2c2@example.com for the rest of my life.
(X) Sorry dude, but I don't think it would work.
True; the only problem is that half the inconvenience comes from assuming limited adoption, and the other half comes from large-scale adoption. But spam is like a toothache. Something will be inconvenient, until we finally put a deep stop on spam.