Slashdot Mirror
Defeating Captcha
An anonymous reader pointed us at PWNtcha, a package that breaks various on-line captcha algorithms. The site provides numerous examples of easy (Paypal, and an older version of Slashdot make the list) and hard Captcha. It also links various sources explaining why Captcha is a bad idea.
Entrepreneur : (noun), French for "unemployed"
here
Thank you for the link to 'what Captcha is'. I'm glad you and the AC know.
Why do we even have editors? Why not just have slashblog, where every anonymous user just posts "ZOMFG, HAXZ)R TEH PL4NETtt!!" links.
Ah well. Would have been interesting to see it... maybe he's using ImageMagick...
The Army reading list
Whew, I had never even heard of Captcha before...
A captcha is a type of challenge-response test used in computing to determine whether or not the user is human.
A while ago, I remember hearing about how some spammers whould post the Yahoo Mail (or other free email services) Captchas on the registration forms on pr0n sites. The pr0n registrants would have to fill out the Captcha, but this would then be used by the spammer to get around the Captcha without any fancy software.
captcha stops bots
pwntcha breaks captcha
slashdot cremates pwntcha
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
http://72.14.207.104/search?q=cache:0navd8Ukq_wJ:
Interesting that an article talking about (among other things) why Captcha is a bad idea is submitted by an anonymous reader, who is forced to validate their human status every time they attempt to post.
(And yes, I'm aware that the submitter may be a member who has merely chosen to submit the story anonymously, but where would the joke be then?)
____
~ |rip/\/\aster /\/\onkey
While it is an interesting project from a hobbyist and academic standpoint, I'm not really sure what practical value it holds (unless the intent is to sell a mature algorithm to spammers, which is not the case since the project is being published). This is nothing more than a personal scripting project - no new forray into new concepts of computer science or pattern recognition; no new breakthroughs of computer-based heuristics.
Rex is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Having a legally blind mother that uses the web, I wonder how captcha complies with the Americans With Disabilities Act (when used by American companies of course)?
Is it compatible with BLINUX? I think by definition it is not.
Perhaps I should ask, what alternate method of identification do sights employ to take into account blind users and the ADA?
The problem is that people are using robots to work in an autonomous manner to find ways around typical human limitations (we can only send several hundred emails a day, robots are not so limited). So people want to stop these "cheater" by making the user prove that they are a human rather than a robot.
Is this really a good thing, though? Even on a site like Slashdot, in a story about defeating bots, the very first comment in this story is posted by a bot. How ironic is that? What is accomplished by banning users who can't read these "captchas" (what a horrendous fake word)? Nothing, apparently, as the story says. It only serves to annoy legitimate users and does nothing to hamper illegitimate robots.
The solution is not this sort of halfway measure. The solution is to make it simply not worth the effort to be a nuisance on a discussion forum. I suppose that requires a glut of intelligent posters, but with the entire citizenry of the Internet available, that can't be so hard.
Jesus saved me from my past. He can save you as well.
It's a cheap and scaleable method to defeat such algorithms. There will always be enough humans willing to do this for very little reward (some free pics).
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Just make then nearly impossible to read... like slashdot does
http://en.wikipedia.org/wiki/Cluestick
Uh, that game doesn't work unless, say, bots stop Slashdot. Otherwise everyone just picks Slashdot and it's fifth grade all over again.
This is a good study of how hard it is to design secure systems. It's just like a non-cryptographer trying to create their own cipher, only in the visual processing world. Sadly, the article does not touch on non-visual captchas, which are alternatives for the blind. It would also be interesting to see what Jakob Nielsen might have to say on this technology from a usability perspective.
Of course, one of the primary bad things is that the concept of a captcha is patented, and the patent language is very broad. US Patent# 6,195,698
Also see the Wikipedia article for more information.
For the lazy... http://en.wikipedia.org/wiki/Captcha
- "Nobody came out that night, not one was ever seen. But Old Man Stauf is waiting there, crazy sick and mean!"
Its a good enough idea. Even with a captcha defeating library, a fairly skilled person would have to write a script or something to parse the webform (optionally over SSL which is a little more difficult) and programatically decode the captcha and then fill in the form and submit it.
Usernames and passwords are a bad idea, but we use them. Using cookies or special URLs like slashdot has (or had, not sure) to automatically login is a bad idea.
But they are acceptable for now, relatively simple to implement and use. There have been captcha defeaters for a while. It shouldn't be that tough to do at least a decent percentage of the time and accept a high failure rate because it is automated. It does not have to be 100%. Hell, I've seen captchas that I could not read before, and I'm a human!
Well I'm glad someone is writing code to solve those "prove you aren't a script" images, because a lot of times I can't quite figure them out myself.
I swear this is not a troll. It actually was.
Chiefly among them is sometimes you can't tell what the fucking words are. Within the last few months on more than one occasion I simply could not read the letters because they were so distorted and the lines overlapped the letters too much. No fun redoing a web form over and over because you can't figure out what the hell the verification box says.
I can't imagine how people with difficulties cope with this.
If you wanna get rich, you know that payback is a bitch
While captchas have drawbacks, notably they require special handling for the vision-inpaired, they are useful.
/.'d and Coral Cache doesn't have it, here it is on mirrordot.
In an era where every blog is a potential spam target, human verification systems are a requirement. Captchas are not the only way to do this, but they are a way.
Since the main story is heavily
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
A: Captchas are a necessary evil. Without it, many services can be horribly, horribly abused.
B: ITs how lazy cryptographers do AI: The goal of a captcha is to get someone else to solve a hard vision/learning problem, and then you change the Captcha.
Test your net with Netalyzr
Here's a link that will actually load and show you all the pretty pictures : http://sam.zoy.org.nyud.net:8090/pwntcha/.
Once all these new algorithms get integrated into OCR software... OCR software might just work.
you failed getting FP
TMM pwned again
I just saw a great flash-based Captcha designed to combat just this sort of attack. The test was composed of white text on a white background. Colored shapes of various sizes swirled in the background behind the text in a pseudo-random pattern, and the text was visible or obfuscated depending on whether there was a shape behind it at the moment. After watching it for a few minutes to see if there were any obvious flaws, I noticed that the entire phrase was never visible all at once.
A little patience was required, but I was able to verify in less than 10 seconds. Animation seems to be very useful for this kind of application.
Even Jesus hates listening to Creed.
A million Indian websurfers paid for by spammers beats all three...
Get your Unix fortune now!
Hashcash doesn't care if you're blind and need special screen reading software.
It makes bulk spamming expensive as well. That may not apply to blog spamming as much but it's still a good way to slow them down.
Tom
Someday, I'll have a real sig.
Just because the post begins with the word "Interesting" does not mean that you have to mod it interesting. Especially when it isn't.
[ Reply to This | Parent ]
He lists paypal.com as "broken"; how about https://www.moneybookers.com/app/login.pl
Stephan
http://stephan.sugarmotor.org
Having to wade through 60+ spam comments a day on a WordPress blog (with all the stock antispam options enabled) just sucked . . . and the blog didn't even get much traffic (PageRank of 4). I installed the AuthImage plugin and used it on its stock settings, and for awhile didn't get a single bit of spam. Then, magically, it started up again. It seems some industrious little script kiddies have written a crawler to massively bombard AuthImage-enabled blogs with words from the stock word list. I switched from the wordlist file to randomly-generated strings and increased the size of the image for readability, and I never had another piece of comment spam in that blog again.
As for blind folks, I suppose every webmaster has to make that decision based on their target demographic, but I've seen a few text-only captchas that work well enough ("What color is an orange?") but will inevitably have the same limitation as the AuthImage word list above.
Captchas are next to useless and for the visually impaired very frustrating. One more of a example of a technology which annoys everyone and yet doesn't really stop the determined miscreant. <cough>airport shoe inspections</cough>
-- "Most people prefer a popular myth to an unpopular truth"
As with the Turing test, the entire purpose of a captcha is to distinguish humans from machines. As captcha-defeaters improve, the captchas will need to become more and more sophisticated and require more and more human or human-like intelligence to process. This arms race will culminate in a Turing test-like approach for discerning natural intelligences from artificial ones.
The ultimate irony may occur when the first human-intelligent computer is created by a spammer for the purpose of assaulting our collective intelligences with their commerical drivel. Given the increasing value of online commerce and Google page ranking, there's probably more money in AI for captchas than AI for academic research.
But before captchas get that sophisticated, the system will become self-defeating as the number of real humans defeated by captchas exceeds the number of AIs repelled by them.
Two wrongs don't make a right, but three lefts do.
Use captcha to encode math problems (IE, the captcha would have "sin(34) * 10" or whatever, and you have to type in the answer).
This way, not only does it take a little longer to analyze, but you get them to do a little bit of work for you. Force the spammers to be part of your little distributed processing system.
Of course the problems need to be simple enough for the users to figure out...
-- Senior Software Engineer, Attorney appearance services, locallawyerapp.com.
would it really be so hard to make an audio version of it too ? .. play with the peaks add extra noise so its hard for computers to recognize? .. sure they COULD recognize the audio as easily as .. well hell i cant even read the slashdot one at the bottom of my screen here .. hmmm - page reload - nvm found one i can read :P
That is fairly easy to break if the text is stationary - simply keep taking pictures. Once you have enough (probably 10 seconds worth at 3fps) just stack all the images on top of each other and "add" them up. The moving parts will fade into the background and leave the text standing proud for some quick OCR.
Now if the text moved as well, it would be better. But you still have create problems for platforms without Flash and for any blind users. Flash for captcha doesn't sound that bright to me.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
You discriminator! Your alleged universal logic questions clearly discriminate against the moronically stupid. You will be sued by my team of kick-ass lawyers!
I don't make the rules. I just make fun of them.
The main article refers to Inaccessibilyt of Visually-Oriented Anti-Robot Tests, which deserves a read and commentary.
Among the claims:
- captchas are inaccessbile to the blind - true
- a horde of human beings can decode the entire library over time - only true if the images are recycled, not if they are created on-demand or for one-time use.
It also discusses some of the side-effects of making access to real humans harder, or harder for a class of users such as the visually impaired. For example, I've seen sites that say "If you cannot read this, call this phone number for access." Too bad for you if you don't have a phone.
As alternatives, it offers
- logic puzzles
- sound output
- credit-card validation
- live operators
- limited-use of unverified accounts, such as throttling for email
- behavior and heuristic analysis
- already-established credentials, such as single-sign-on systems or public-key-based systems
- biometrics
The article briefly discusses the pros and cons of each.
I rate its conclusion
"Visual verification alone is known to create problems with users. It is imperative that site designers take the needs of users with disabilities into account, and it is likewise hoped that one or more of these potential solutions can make that process easier."
as: insightful +5 obvious -1.
The article as a whole gets an "informative +5."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
"Many thanks to the VideoLAN project for hosting my page during the /. effect, to the GNAA for providing me with a massive amount of Captcha samples, and of course to every other contributor to this project."
Is this the same GNAA that trolls slashdot on a regular basis?
The W3C proposed in 2003 a number of Solutions for the Inaccessibility of Visually-Oriented Anti-Robot Tests, including logic puzzles, audio captchas, credit card validation, etc. It is interesting that they also show how a federated identity system can help users with disabilities.
There must be at least some irony found that an article that's creation was furthered by the infamous GNAA is posted on the front page..
Notice this is written by the same guy who coded LMOS (GNAA's Last Measure Operating System). Combine this with the fact that there is no proof-of-concept code available, it makes me think this is just another GNAA attempt to get Slashdotted. The page would probably redirect to goatse or Last Measure right now if the server wasn't slashdotted. YHBT by the GNAA.
But, and this is probably your point, it's better than nothing! Or, to put another way, if it stops 90% of the people, then it's probably worth its minor cost. (Cost being the effort of humans to read the captchas, etc.)
Ben Hocking
Need a professional organizer?
scroll down to the bottom, eegh O_O
In the table for "Cwazymail", I was trying to figure out what the pictures were. One's an elephant, one's an owl, and one is a man pulling apart his anus. Great!
Anyone catch the Goatse image in the linked article? Look at the images for the Cwazymail captcha. *shudder*
Lisa: Poor predictable Bart. Always picks rock.
Bart: Good old rock. Nothing beats that!
Bart: Rock!
Lisa: Paper.
Bart: Doh!
scroll down, it's the picture near the elephant
And the comment kills me:
"An excellent idea, but a critically buggy implementation"!!!
For example, A captcha images contains the following text:
"Please enter the first three and last four letters of the following sentence: There is man with a small plan"
The application would expect "Theplan"
Have the instructions be variable, along with the modded text. Ask for the third word or the last two words, or the last 5 letters in reverse order.
Instructions written for humans along with the ability to read the garbled image/instructions would make it many times more difficult for a machine to figure out what to enter.
In the mirrordot version, the picture between the elephant and the owl is NOT there.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Could swear it is.
i am a soviet space shuttle
that one of the captchas still being worked on is a distorted goatse image (Cwazymail)? Is that for real or is that a cleverly disguised joke? haha...
The article is NSF for that slightly distorted . . . uh . . . picture of the man.
I'm tempted to go to "cwazymail" and see what other wonderful captchas are waiting for me.
I was thinking about captchas (didn't know they had a name) when signing up for a Gmail account today. I wondered if it would be profitable to set up a company somewhere where labour is cheap to employ people to read captchas on demand. Apparently the British postal service scans images of letter envelopes and sends them abroad where the postal codes are read and sent back. If a person could read, decipher and type, say, 3 captchas a minute, and you paid them 50 cents an hour, you could make a profit charging half a penny per captcha to nefarious blog spammers etc.
..the bots became self-aware..
SYS 64738
The summary should include a warning that one of the captcha examples features goatse.
At least Canada is close, but not much better.
Yeah, right.
A test for humanness will not be convincing until it cuts out 70% of AOL users and 58.2% of Belgium. (58.2% of Belgian users would work, too.)
I don't get the Belgium/Belgian users reference. Did they do something wrong to not be considered humans? Are they dumber than average? Is "Belgium" just a funny word? I don't get it. Somebody (preferably one who knows the answer) please enlighten me.
Have you ever wondered How to Take Over
First off, put a time-bomb on such captchas - if they aren't solved within 2 minutes then abort and issue a new one.
Second off throttle based on IP traffic - if more than X% of traffic from an IP address is registrations AND there are more than 10 registrations in 5 minutes, assume something is up.
Third off, don't reuse captchas - generate them on the fly or if you must, in-advance for one-time use.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Yeah, right.
Anyone else had the experience of not being able to read the captcha on a web site? Seriously... if a human brain can't read it, I really doubt a program (at least at today's levels) could do so. Of course, part of the problem is that English has too many letters that look alike. Lower case "l" and capital "I" for instance.
There's a goatse image in it.
What is the next logical number in the sequence 1, 3, 5, 7, ...?
11 is the next odd prime in the sequence listed.
"I'm not impatient. I just hate waiting." - My Dad
all captchas should timeout after, oh, say 10 minutes?
In all honesty, do you really think you're going to get that many people to regularly visit a pr0n site? The sector is extreemly cut-throat and vastly bigger than the market can justifiably support (hence why many pr0n sites close each month).
The only way to get to the top of the engines in the first few months would be to use PPC advertising (costs money). After that, even if you get to the top of the SERPS by using nefarious means, you'll need to give people a viable reason to sign-up to your service, i.e. you'll need content which costs money (unless you want to steal it, at which point you can probably expect some real mean types to track you down and kill you, them porn businesspeople are crazy).
I am NaN
Editors -
Please don't link to the goatse man without at least some warning.
Thanks.
Was it just me or did I just saw goatse.cx being used as captcha?
*groan*
mod +5 funny
mod -6 lame
Google's Blogger.com just recently implemented captchas in its built-in commenting system, and is crowing pretty loud about it to its members; seems to be a behind-the-curve move, in light of this.
-CT
http://www.populationstatistic.com/
Ah so that's what they call that. I used to have a mailer on my site that I wanted to protect from spammers/bots and I was trying to find a pre-made script on google but I had no clue what they were called so I just ended up writing my own Oh well its about a year too late now and I don't even have that mailer form on my site anymore. P.S. I bet my awesome captcha script would have been un-crackable! =P
[an error occurred while processing this directive]
Next up, the end of the internets!!!eleventyone
Yeah, right.
all i know is that someone managed to get a front page link on slashdot to a site that has an image of the goatse guy (next to the elephant and the owl in the Cwazymail captcha) AND a link to gnaa.us. well done. :-P
If you look at the middle image of the Cwazymail examples, it looks likes... well you can make your own judgement.
Do you have to be 18 to sign up?
I don't get the Belgium/Belgian users reference. Did they do something wrong to not be considered humans? Are they dumber than average? Is "Belgium" just a funny word? I don't get it. Somebody (preferably one who knows the answer) please enlighten me.
I thought the answer was obvious: they share a border with the Dutch.
There's a goatse image on that page.
I don't feel so bad using a Captcha on my site regarding the inconvenience it causes to vision-impared visitors. You only need to fill in the Captcha for posting comments. Otherwise, blind people can access the rest of my site unhindered.
I'd also like to point out that since I've implemented my Captcha, this level of obscurity has blocked 100% of the comment spam I was dealing with in my Wordpress-powered site.
I do think it presents an undesireable hurdle for blind people accessing other sites like registering for email accounts and the like.
$5 / month hosted VPS on linux = awesome!
Thanks a lot /. for that wonderful link. an otherwise wonderful lunchbreak now is now for lack of a better experssion... down the tubes.
The article is a troll ... note how the code is withheld and the general lack of details or substance ... finally, note that this person hosts a Lastmeasure mirror on their domain; http://traceroute.zoy.org/ (DO NOT CLICK, except in links/lynx).
Thanks for linking the Goatse Man image in the article. Oh how I've missed being tricked into viewing thee.
The link is not work safe.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
I don't care if his code works or not. He got every person to look at the goatse picture, whether they realized it or not.
In fact, I kinda hope the whole site was an elaborate practical joke just for that purpose.
This is one of the few cases when goatse jokes are on topic.
You only need to fill in the Captcha for posting comments. Otherwise, blind people can access the rest of my site unhindered.
So you have intentionally shut out blind people for posting comments. Prepare for some heated e-mails from the first blind person who really, really wants to post a comment. They only start polite.
Only governments should have compulsory support for visual impaired users. For the rest of the pages it's a bonus if they decide to support those people.
I assume your argument is that a competitor could make money by picking up the disabled customers that the discriminatory company left behind, but that's not always the case. Take as an example the company providing electric power. In many familiar jurisdictions, the power company holds a local monopoly. If the power company discriminates against blind people, then do you expect blind people to go without electricity?
Why not just show a picture of an object and you a multiple choice answer of what it is?
I'm from Holland. Isn't that veird?
Gamingmuseum.com: Give your 3D accelerator a rest.
Slashdot would only have maybe ten posts per article...
(and I can barely read the capcha here, is it "chapels?" They're only weeding out old people!)
"This is because pulling non-random signal out of random noise in a moving system is a lot easier than in a static singular system."
Spread-Spectrum Communications.
Unless you're a government agency, you can lock people out of your web site for any reason at all.
If you use a web site to engage in commerce among the states, the web site falls under congressional jurisdiction. If you use a web site to engage in commerce related to a contract with the U.S. Government, the web site even more obviously falls under congressional jurisdiction. Likewise, if your business has a government-granted monopoly such as a public utility franchise, the web site falls under the jurisdiction of the agency that granted the franchise.
Hashcash is useful, perhaps, in stopping spam, which is only worthwhile when sent in the millions. Things protected by CAPTCHA systems, like new email accounts and slashdot posts, tend to be worthwhile to the attacker in thousands instead. The maximum I'm going to tolerate as a user is about one minute of hashing, which works out to 1440 solutions per day ...
Do you think yahoo mail will be happy if a particular blackhat box only registers 1440 new accounts per day? Will you and I be happy if a particular slashdot troll only posts 1440 comments per day? Will an average user prefer sitting there doing nothing for 60 seconds, instead of typing in a few letters in a picture?
Which of the following would be the textual description of the second pic (http://www.videolan.org/pwntcha/goatse-captcha.jp g) for the Cwazymail implementation?
ASSRIPPING
OUCH!
DEARGOD!
I_CAN_SEE_HIS_TEETH
Do you think yahoo mail will be happy if a particular blackhat box only registers 1440 new accounts per day?
By the time a single IP address has generated enough hashcash to create ten new accounts in 24 hours, red flags should go off that this machine is either a spam bot (bad), an open proxy (bad), or an ISP's proxy (which can be verified by a human being).
You suggested asking an easy trivia question, basing your example on traffic law. Watch a computer just build up a database of all the possible questions. In addition, how would a fellow with a red-green color deficiency, who sees "top light, middle light, bottom light" in a traffic signal, be able to answer your question correctly?
There's a perturbed image (aren't they all?) of goatse embedded in possible captcha implementations. Browse carefully.
Reminds me of the old days of slashdot landmines!
why should I spend $10,000 to make my facilities handicap accessible if there is no net profit to me?
Because you run the risk of being fined $50,000 under anti-discrimination laws if you don't.
So, that captcha cuts out those people who have an internet connection AND have no phone AND are blind.
I'm assuming that a TTY connected to a braille wheel counts as a "phone" in your analysis, right?
Anyone else notice the center image under the "Cwazymail" entry? It's rather disgusting, once you figure it out.
Just display a jpeg with a Steganograph message. If the client can decode it, then it's not human.
Ok, I'm off to the PTO...
They were grateful for being liberated. However, gratefulness isn't a blank check to do and say whatever you want and it doesn't last forever. Too be honest I don't recall any Americans clamering for the liberation of Belgium, it just happened to lie in the way to Berlin.
I assume you weren't in WWII yourself and are an armchair general.
They are just as good at filtering off bots, as at stopping me from registering when I'm drunk.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
a human still has to answer the questions if the computer isn't intelligent enough to know what is being asked of it.
And once humans have fed correct answers for at least 25 percent of the 10,000 questions into the spam bot's database, the computer can handle the rest.
and there's nothing to stop you from expanding the dictionary.
Except human time. It would take nearly as long to build up a spam bot resistant dictionary as it would to moderate comments the old fashioned way.
And I just added captcha to the comment posting system on my blog! >_
Oh well, atleast my other antispam measures will still work.
Friend: "The NIC is misconfigured..." Me: "No prob, I'll just telnet in and fix it." *Silence*
Some sites include an "audio" link by the captchya. I believe that it was yahoo I recently visited to download messenging software, and the captcha had an option to listen to an audio clip that would tell you what to enter.
This article about captcha being unnecessary and useless needed to pass one. Does anyone else find that as funny as I do?
I thought about this problem on a recent trip to the urinal and here's what I got.
1) Get (or construct) a large database of nouns of well-known objects (car, orange, bottle, phone, pencil, brick, cup, etc. etc.)
2) Retrieve image references from a (safesearch-enabled) Google image search for a random noun from your database. Pick randomly from the result set.
3) Present images to the user. "These are pictures of a..."
4) My next strategy was to figure out a combinatorial way to increase the number of possible replies so that an attacker couldn't simply create a database of knowns (such as a hash database of images)
What do you smart fellers think? other than google being pissed for scraping their site
A while ago, Slashdot was using captchas so messy that I didn't even know what they said. I'd pretty much always get the "try your reply again" thing, until I sent an email and stopped having to do the captcha. Now, I see they're easier. But still annoying. On yahoo, I fail, oh, lets say, 1 out of 8 times to correctly imput the word. Now, I do have bad vision, but I'm not blind.
It DOES have its problems - members of the Government and police force are suspected of being directly involved in human trafficking, for example - but it is certainly no worse than any other.
To most English, though, Belgium is mostly associated with beer, chocolate and Hercule Poirot. Other than that, the only thing exceptional about Belgium is how utterly unexceptional the country is.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
"The only potentially viable mechanism for doing this sort of thing involves dynamic creation of the images using random number generators to perturb the image in ways that are of similar color to the test, using color variation on the text to fool stochastic methods, using foreground masking of the text (i.e. lines that go in front of the text, not just behind it), and using a wide enough variety of fonts, some of which should be things like cursive fonts with variable baselines. That really makes OCR mad."
Or use Optical Illusions*. Or homonyms to increse problem space.
*Same works for the other senses.
Last I checked, the ADA didn't apply to websites.
Possibly. But section 508 of the Rehabilitation Act does apply to web sites of companies that sell products to the U.S. Government.
Suggested additional methods of preventing CAPTCHA defeat:
:)
1. Change the instructions so that it isn't always "type these characters". Maybe "type the first three characters", etc. Randomise this element.
2. Use the technique that spammers love: replace characters in your CAPTCHA with similar-looking, but non-standard ones; the word will still be readable, but will foil font-based algorithms.
3. Divide the image into small blocks, cutting across characters, and with randomised cutting points. Display them together on the page, and the user need never know the difference, but a bot is much more likely to choke.
4. Use Javascript to load the image, so that a bot that doesn't process JS won't ever see the image.
5. Better still, load a dummy image in HTML, and overlay it with another in JS. Legitimate users will see the overlaid image; bots will see the original one, and therefore get it wrong in a predictable way, even if they can decipher the graphic. Could be a good way to spot the dodgy user right from the beginning (yes, it would also catch users with JS turned off... but in these days of Ajax, who does that?)
6. Use hieroglyphics rather than alphabetic characters: show a couple of easily recognised icons or pictures, and ask the user to identify them.
7. Trap IP addresses, etc of users that fail the test. Increase the difficulty of the test for IPs that have previously failed.
That's all I can think of for now. I'm sure some of them won't really be workable (and I'm sure the slashdot crowd will gleefully tell me so!), but hopefully there's something useful and new in that lot.
(btw - is it deliberate that CAPTCHA sounds so similar to GOTCHA?)
(Spudley Strikes Again!)
when i read that website by scrolling down to observe each examples...
WHen i came across 'defeated' section and find mind-blowing Cwazymail's second image next to elephant...
it promptly make me remember since that day i click on that OTHER site and it scars me forever. Tragedy.
(excuse my crappy grammar)
you say, "textual tests would do just as well."
DMCA advocates say, "content protection can stop bad guys without inconveniencing good guys."
Both are flat-out wrong in the real world.
The good news is, you have a potentially bright career ahead of you in politics.
I've been thinking about a good way to defeat Captcha. When the bot sees the captcha image it automatically displays it at a 'helper' site. This site could be some random pop-up from a spyware program that asks the user to then write down the word in the Captcha image. The bot then uses the entry from the Spyware affected person to enter the original website.
I don't need to break any sites myself, but I'm sure that this would work.
Religion for nerds. Stuff that really matters
It will be interesting if a blind person does post a comment on my site. I do advocate for the ADA and am a web programmer for a govt. agency where I have to argue against my co-workers using non-ADA compliant content types like PDF, FLASH, POWERPOINT, and MS Word docs on our web sites. I think that for a blind person, the internet can really expose them to a lot of stuff that's difficult to interpret in hardcopy.
So, I'm not saying that the visually impared are unwelcome on my personal website. It's just that I've made a judgement call between suffering comment spam and excluding a minority of people who would ever be interested in the stuff on my website. Similarly, I was plagued by Brazillian script kiddies attacking my server, so I put firewall rules in place that block all connections from Brazil. Just to save bandwidth, I also eliminated connections from Australia, China, Taiwan, and a few other countries. My website is about skateboarding in Austin, and the intended audience isn't really people in those countries. This may seem like an arbitrarily unfair case of discrimination on my part, but that's my right as an independent internet publisher.
Seth
$5 / month hosted VPS on linux = awesome!
Is it compatible with BLINUX? I think by definition it is not.
Perhaps I should ask, what alternate method of identification do sights employ to take into account blind users and the ADA?
Fuck off
Wrong wrong wrong. For the human eye, the difference between gray_level = 123 and gray_level = 124 is almost imperceptible but for software, they're as different as a one and a zero. Color is the same situation. If you try to make a captcha difficult by putting in a nice color background, well, the software can just threshold out the color and threshold out grayscale.
The best format would be one-bit images, with letters that are not evenly spaced, not all the same font, not all the same alignment, and yes, with some noise thrown in. The noise should not be in the form of simple straight lines. But it should be one bit, not grayscale or color.
This article is a fraud. No source is presented, and goatse.cx is displayed in the examples. This whole thing was contrived just to get goatse.cx in a legitimate front page post. Best troll in years.
this sig limit is too small to put anything good h
In other news, here's the world's most secure captcha (as seen on this page), and here's the world's sickest captcha (as seen on Google).
There is a not so distorted goatse image about 3/4 of the way down the page. Beware.
As the Belgians are the inventors of French fries (they should in fact be called Belgian fries!), deal with the fact that they probably know how to handle fries correctly. I myself don't like either ketchup or mayonaise on my fries, just a little salt.
> Is "Belgium" just a funny word?
Well, say it a few times. Does it _sound_ funny? Think about whether it sounds funny, while you're saing it, repeatedly. *Now* does it sound funny?
(This trick works with most words, BTW.)
Actually, the real issue with the word "Belgium" is that Douglas Adams wrote things about it that could be interpreted as disparaging, so all real geeks have to think it's a bit off, or they lose their geek card.
Cut that out, or I will ship you to Norilsk in a box.
I am a GNAA member.
Sam does not release his code becuase it may very well give websites we target a "heads up". The fact that there are naysayers like you just proves this point - why give away the code if it would belay skepticism?
I do have a copy of the code in question. Its nothing fancy. It uses off the shelf open source software and graphics libraries. This is the fact that should be alarming - that a single individual can put only a little bit of effort to defeat what people seem to think is the pinnacle of anti-spam security on the WWW.
But hey, if no one belives me, then its still advantageous for me. I can continue signing up thousands of accounts and no one will ever be the wiser.
Thanks so much...
/.: why the hell am I here?