Slashdot Mirror
Defeating Captcha
An anonymous reader pointed us at PWNtcha, a package that breaks various on-line captcha algorithms. The site provides numerous examples of easy (Paypal, and an older version of Slashdot make the list) and hard Captcha. It also links various sources explaining why Captcha is a bad idea.
Entrepreneur : (noun), French for "unemployed"
here
Whew, I had never even heard of Captcha before...
A captcha is a type of challenge-response test used in computing to determine whether or not the user is human.
A while ago, I remember hearing about how some spammers whould post the Yahoo Mail (or other free email services) Captchas on the registration forms on pr0n sites. The pr0n registrants would have to fill out the Captcha, but this would then be used by the spammer to get around the Captcha without any fancy software.
captcha stops bots
pwntcha breaks captcha
slashdot cremates pwntcha
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
http://72.14.207.104/search?q=cache:0navd8Ukq_wJ:
Interesting that an article talking about (among other things) why Captcha is a bad idea is submitted by an anonymous reader, who is forced to validate their human status every time they attempt to post.
(And yes, I'm aware that the submitter may be a member who has merely chosen to submit the story anonymously, but where would the joke be then?)
____
~ |rip/\/\aster /\/\onkey
While it is an interesting project from a hobbyist and academic standpoint, I'm not really sure what practical value it holds (unless the intent is to sell a mature algorithm to spammers, which is not the case since the project is being published). This is nothing more than a personal scripting project - no new forray into new concepts of computer science or pattern recognition; no new breakthroughs of computer-based heuristics.
Rex is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Having a legally blind mother that uses the web, I wonder how captcha complies with the Americans With Disabilities Act (when used by American companies of course)?
Is it compatible with BLINUX? I think by definition it is not.
Perhaps I should ask, what alternate method of identification do sights employ to take into account blind users and the ADA?
The problem is that people are using robots to work in an autonomous manner to find ways around typical human limitations (we can only send several hundred emails a day, robots are not so limited). So people want to stop these "cheater" by making the user prove that they are a human rather than a robot.
Is this really a good thing, though? Even on a site like Slashdot, in a story about defeating bots, the very first comment in this story is posted by a bot. How ironic is that? What is accomplished by banning users who can't read these "captchas" (what a horrendous fake word)? Nothing, apparently, as the story says. It only serves to annoy legitimate users and does nothing to hamper illegitimate robots.
The solution is not this sort of halfway measure. The solution is to make it simply not worth the effort to be a nuisance on a discussion forum. I suppose that requires a glut of intelligent posters, but with the entire citizenry of the Internet available, that can't be so hard.
Jesus saved me from my past. He can save you as well.
It's a cheap and scaleable method to defeat such algorithms. There will always be enough humans willing to do this for very little reward (some free pics).
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Uh, that game doesn't work unless, say, bots stop Slashdot. Otherwise everyone just picks Slashdot and it's fifth grade all over again.
This is a good study of how hard it is to design secure systems. It's just like a non-cryptographer trying to create their own cipher, only in the visual processing world. Sadly, the article does not touch on non-visual captchas, which are alternatives for the blind. It would also be interesting to see what Jakob Nielsen might have to say on this technology from a usability perspective.
Of course, one of the primary bad things is that the concept of a captcha is patented, and the patent language is very broad. US Patent# 6,195,698
Also see the Wikipedia article for more information.
Its a good enough idea. Even with a captcha defeating library, a fairly skilled person would have to write a script or something to parse the webform (optionally over SSL which is a little more difficult) and programatically decode the captcha and then fill in the form and submit it.
Usernames and passwords are a bad idea, but we use them. Using cookies or special URLs like slashdot has (or had, not sure) to automatically login is a bad idea.
But they are acceptable for now, relatively simple to implement and use. There have been captcha defeaters for a while. It shouldn't be that tough to do at least a decent percentage of the time and accept a high failure rate because it is automated. It does not have to be 100%. Hell, I've seen captchas that I could not read before, and I'm a human!
Well I'm glad someone is writing code to solve those "prove you aren't a script" images, because a lot of times I can't quite figure them out myself.
I swear this is not a troll. It actually was.
Chiefly among them is sometimes you can't tell what the fucking words are. Within the last few months on more than one occasion I simply could not read the letters because they were so distorted and the lines overlapped the letters too much. No fun redoing a web form over and over because you can't figure out what the hell the verification box says.
I can't imagine how people with difficulties cope with this.
If you wanna get rich, you know that payback is a bitch
While captchas have drawbacks, notably they require special handling for the vision-inpaired, they are useful.
/.'d and Coral Cache doesn't have it, here it is on mirrordot.
In an era where every blog is a potential spam target, human verification systems are a requirement. Captchas are not the only way to do this, but they are a way.
Since the main story is heavily
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
A: Captchas are a necessary evil. Without it, many services can be horribly, horribly abused.
B: ITs how lazy cryptographers do AI: The goal of a captcha is to get someone else to solve a hard vision/learning problem, and then you change the Captcha.
Test your net with Netalyzr
Here's a link that will actually load and show you all the pretty pictures : http://sam.zoy.org.nyud.net:8090/pwntcha/.
And then again, maybe he isn't. It doesn't really matter which library he uses for image import, does it? I mean, the interesting part would be the data structures and algorithms used in the "reverse-mapping" from image data to text. It's doubtful that the rudimentary processing methods provided by ImageMagick (although often a god-send of convenience and compatibility) would help here.
Not that this would stop you from plugging some random open-source software package. Even though your plug will probably do more Good-For-The-World than the rest of the discussion in this thread combined, your motives are still strange to me.
Once all these new algorithms get integrated into OCR software... OCR software might just work.
I just saw a great flash-based Captcha designed to combat just this sort of attack. The test was composed of white text on a white background. Colored shapes of various sizes swirled in the background behind the text in a pseudo-random pattern, and the text was visible or obfuscated depending on whether there was a shape behind it at the moment. After watching it for a few minutes to see if there were any obvious flaws, I noticed that the entire phrase was never visible all at once.
A little patience was required, but I was able to verify in less than 10 seconds. Animation seems to be very useful for this kind of application.
Even Jesus hates listening to Creed.
A million Indian websurfers paid for by spammers beats all three...
Get your Unix fortune now!
> It doesn't really matter which library he
> uses for image import, does it?
I'd be interested in knowing what it is... but I may well be the only person on the planet that is interested.
> your motives are still strange to me
Most of the time I don't understand them myself!
The Army reading list
Hashcash doesn't care if you're blind and need special screen reading software.
It makes bulk spamming expensive as well. That may not apply to blog spamming as much but it's still a good way to slow them down.
Tom
Someday, I'll have a real sig.
Just because the post begins with the word "Interesting" does not mean that you have to mod it interesting. Especially when it isn't.
[ Reply to This | Parent ]
He lists paypal.com as "broken"; how about https://www.moneybookers.com/app/login.pl
Stephan
http://stephan.sugarmotor.org
Having to wade through 60+ spam comments a day on a WordPress blog (with all the stock antispam options enabled) just sucked . . . and the blog didn't even get much traffic (PageRank of 4). I installed the AuthImage plugin and used it on its stock settings, and for awhile didn't get a single bit of spam. Then, magically, it started up again. It seems some industrious little script kiddies have written a crawler to massively bombard AuthImage-enabled blogs with words from the stock word list. I switched from the wordlist file to randomly-generated strings and increased the size of the image for readability, and I never had another piece of comment spam in that blog again.
As for blind folks, I suppose every webmaster has to make that decision based on their target demographic, but I've seen a few text-only captchas that work well enough ("What color is an orange?") but will inevitably have the same limitation as the AuthImage word list above.
Captchas are next to useless and for the visually impaired very frustrating. One more of a example of a technology which annoys everyone and yet doesn't really stop the determined miscreant. <cough>airport shoe inspections</cough>
-- "Most people prefer a popular myth to an unpopular truth"
As with the Turing test, the entire purpose of a captcha is to distinguish humans from machines. As captcha-defeaters improve, the captchas will need to become more and more sophisticated and require more and more human or human-like intelligence to process. This arms race will culminate in a Turing test-like approach for discerning natural intelligences from artificial ones.
The ultimate irony may occur when the first human-intelligent computer is created by a spammer for the purpose of assaulting our collective intelligences with their commerical drivel. Given the increasing value of online commerce and Google page ranking, there's probably more money in AI for captchas than AI for academic research.
But before captchas get that sophisticated, the system will become self-defeating as the number of real humans defeated by captchas exceeds the number of AIs repelled by them.
Two wrongs don't make a right, but three lefts do.
Use captcha to encode math problems (IE, the captcha would have "sin(34) * 10" or whatever, and you have to type in the answer).
This way, not only does it take a little longer to analyze, but you get them to do a little bit of work for you. Force the spammers to be part of your little distributed processing system.
Of course the problems need to be simple enough for the users to figure out...
-- Senior Software Engineer, Attorney appearance services, locallawyerapp.com.
That is fairly easy to break if the text is stationary - simply keep taking pictures. Once you have enough (probably 10 seconds worth at 3fps) just stack all the images on top of each other and "add" them up. The moving parts will fade into the background and leave the text standing proud for some quick OCR.
Now if the text moved as well, it would be better. But you still have create problems for platforms without Flash and for any blind users. Flash for captcha doesn't sound that bright to me.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
The main article refers to Inaccessibilyt of Visually-Oriented Anti-Robot Tests, which deserves a read and commentary.
Among the claims:
- captchas are inaccessbile to the blind - true
- a horde of human beings can decode the entire library over time - only true if the images are recycled, not if they are created on-demand or for one-time use.
It also discusses some of the side-effects of making access to real humans harder, or harder for a class of users such as the visually impaired. For example, I've seen sites that say "If you cannot read this, call this phone number for access." Too bad for you if you don't have a phone.
As alternatives, it offers
- logic puzzles
- sound output
- credit-card validation
- live operators
- limited-use of unverified accounts, such as throttling for email
- behavior and heuristic analysis
- already-established credentials, such as single-sign-on systems or public-key-based systems
- biometrics
The article briefly discusses the pros and cons of each.
I rate its conclusion
"Visual verification alone is known to create problems with users. It is imperative that site designers take the needs of users with disabilities into account, and it is likewise hoped that one or more of these potential solutions can make that process easier."
as: insightful +5 obvious -1.
The article as a whole gets an "informative +5."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The W3C proposed in 2003 a number of Solutions for the Inaccessibility of Visually-Oriented Anti-Robot Tests, including logic puzzles, audio captchas, credit card validation, etc. It is interesting that they also show how a federated identity system can help users with disabilities.
There must be at least some irony found that an article that's creation was furthered by the infamous GNAA is posted on the front page..
But, and this is probably your point, it's better than nothing! Or, to put another way, if it stops 90% of the people, then it's probably worth its minor cost. (Cost being the effort of humans to read the captchas, etc.)
Ben Hocking
Need a professional organizer?
http://www.gh-sts.com/captcha.txt
This is what slashdot's previous iteration of a captcha looked like in an in-memory associative array after the intersecting lines had been removed and a de-skewing algorithm applied. There was actually a version of the code after that which properly picked out where the lines actually intersected the letters and didn't erase the intersecting section to create those gaps.
Before they switched to the newest CAPTCHA system, I was breaking their CAPTCHAs with a modified SS.pl script with almost 100% accuracy (it had a little trouble properly splitting up the text when a j or other similar character wrapped partially under another letter).
Of course, the new CAPTCHAs are much harder. I can't even read some of them myself, but the point is that breaking CAPTCHA that people can easily read usually isn't really that hard.
Yes, I used ImageMagick's Perlmagick library.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
scroll down to the bottom, eegh O_O
In the table for "Cwazymail", I was trying to figure out what the pictures were. One's an elephant, one's an owl, and one is a man pulling apart his anus. Great!
Lisa: Poor predictable Bart. Always picks rock.
Bart: Good old rock. Nothing beats that!
Bart: Rock!
Lisa: Paper.
Bart: Doh!
For example, A captcha images contains the following text:
"Please enter the first three and last four letters of the following sentence: There is man with a small plan"
The application would expect "Theplan"
Have the instructions be variable, along with the modded text. Ask for the third word or the last two words, or the last 5 letters in reverse order.
Instructions written for humans along with the ability to read the garbled image/instructions would make it many times more difficult for a machine to figure out what to enter.
In the mirrordot version, the picture between the elephant and the owl is NOT there.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Could swear it is.
i am a soviet space shuttle
that one of the captchas still being worked on is a distorted goatse image (Cwazymail)? Is that for real or is that a cleverly disguised joke? haha...
I was thinking about captchas (didn't know they had a name) when signing up for a Gmail account today. I wondered if it would be profitable to set up a company somewhere where labour is cheap to employ people to read captchas on demand. Apparently the British postal service scans images of letter envelopes and sends them abroad where the postal codes are read and sent back. If a person could read, decipher and type, say, 3 captchas a minute, and you paid them 50 cents an hour, you could make a profit charging half a penny per captcha to nefarious blog spammers etc.
..the bots became self-aware..
SYS 64738
A test for humanness will not be convincing until it cuts out 70% of AOL users and 58.2% of Belgium. (58.2% of Belgian users would work, too.)
I don't get the Belgium/Belgian users reference. Did they do something wrong to not be considered humans? Are they dumber than average? Is "Belgium" just a funny word? I don't get it. Somebody (preferably one who knows the answer) please enlighten me.
Have you ever wondered How to Take Over
Yeah, right.
Anyone else had the experience of not being able to read the captcha on a web site? Seriously... if a human brain can't read it, I really doubt a program (at least at today's levels) could do so. Of course, part of the problem is that English has too many letters that look alike. Lower case "l" and capital "I" for instance.
What is the next logical number in the sequence 1, 3, 5, 7, ...?
11 is the next odd prime in the sequence listed.
"I'm not impatient. I just hate waiting." - My Dad
all captchas should timeout after, oh, say 10 minutes?
In all honesty, do you really think you're going to get that many people to regularly visit a pr0n site? The sector is extreemly cut-throat and vastly bigger than the market can justifiably support (hence why many pr0n sites close each month).
The only way to get to the top of the engines in the first few months would be to use PPC advertising (costs money). After that, even if you get to the top of the SERPS by using nefarious means, you'll need to give people a viable reason to sign-up to your service, i.e. you'll need content which costs money (unless you want to steal it, at which point you can probably expect some real mean types to track you down and kill you, them porn businesspeople are crazy).
I am NaN
Editors -
Please don't link to the goatse man without at least some warning.
Thanks.
Was it just me or did I just saw goatse.cx being used as captcha?
> breaking CAPTCHA that people can easily
> read usually isn't really that hard
Bummer! But I daresay for some purposes - like protecting a Wiki - CAPTCHA is still a decent first line of defense...
> ImageMagick's Perlmagick library
Cool, thanks for the info!
The Army reading list
Ah so that's what they call that. I used to have a mailer on my site that I wanted to protect from spammers/bots and I was trying to find a pre-made script on google but I had no clue what they were called so I just ended up writing my own Oh well its about a year too late now and I don't even have that mailer form on my site anymore. P.S. I bet my awesome captcha script would have been un-crackable! =P
[an error occurred while processing this directive]
Next up, the end of the internets!!!eleventyone
Yeah, right.
all i know is that someone managed to get a front page link on slashdot to a site that has an image of the goatse guy (next to the elephant and the owl in the Cwazymail captcha) AND a link to gnaa.us. well done. :-P
that would be a draft beer yes?
The world according to SComps
If you look at the middle image of the Cwazymail examples, it looks likes... well you can make your own judgement.
Do you have to be 18 to sign up?
I don't get the Belgium/Belgian users reference. Did they do something wrong to not be considered humans? Are they dumber than average? Is "Belgium" just a funny word? I don't get it. Somebody (preferably one who knows the answer) please enlighten me.
I thought the answer was obvious: they share a border with the Dutch.
There's a goatse image on that page.
I don't feel so bad using a Captcha on my site regarding the inconvenience it causes to vision-impared visitors. You only need to fill in the Captcha for posting comments. Otherwise, blind people can access the rest of my site unhindered.
I'd also like to point out that since I've implemented my Captcha, this level of obscurity has blocked 100% of the comment spam I was dealing with in my Wordpress-powered site.
I do think it presents an undesireable hurdle for blind people accessing other sites like registering for email accounts and the like.
$5 / month hosted VPS on linux = awesome!
Thanks a lot /. for that wonderful link. an otherwise wonderful lunchbreak now is now for lack of a better experssion... down the tubes.
Thanks for linking the Goatse Man image in the article. Oh how I've missed being tricked into viewing thee.
The link is not work safe.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
I don't care if his code works or not. He got every person to look at the goatse picture, whether they realized it or not.
In fact, I kinda hope the whole site was an elaborate practical joke just for that purpose.
GP: Just got ditched by your Belgian girlfriend or what did we deserve this statement for? At least we got good-tasting beer that can help you feel less bad about whatever is bothering you :-)
P: American beer is about the same as the 'yellow water' that comes out of a Republican Elephant when you threaten it with a military draft
I realize that bashing America is fun (hey, I do it, and I'm American!), and I can even appreciate a good non-sequitur, BUT... Why are you responding to a Belgian's boast about his country's beer with an attack on America's beer?? I'll never understand women...
...sometimes, in order to hurt someone very badly, you have to tell that person terrible lies. - PA
You only need to fill in the Captcha for posting comments. Otherwise, blind people can access the rest of my site unhindered.
So you have intentionally shut out blind people for posting comments. Prepare for some heated e-mails from the first blind person who really, really wants to post a comment. They only start polite.
Only governments should have compulsory support for visual impaired users. For the rest of the pages it's a bonus if they decide to support those people.
I assume your argument is that a competitor could make money by picking up the disabled customers that the discriminatory company left behind, but that's not always the case. Take as an example the company providing electric power. In many familiar jurisdictions, the power company holds a local monopoly. If the power company discriminates against blind people, then do you expect blind people to go without electricity?
Why not just show a picture of an object and you a multiple choice answer of what it is?
I'm from Holland. Isn't that veird?
Gamingmuseum.com: Give your 3D accelerator a rest.
THIS IS ONE GIANT TROLL ARTICLE! LOL!
About 3/4ths down the page there is a goatse picture, and the caption at the top thanks the GNAA. Wake up slashdot.
This is my sig. There are many like it, but this one is mine.
Unless you're a government agency, you can lock people out of your web site for any reason at all.
If you use a web site to engage in commerce among the states, the web site falls under congressional jurisdiction. If you use a web site to engage in commerce related to a contract with the U.S. Government, the web site even more obviously falls under congressional jurisdiction. Likewise, if your business has a government-granted monopoly such as a public utility franchise, the web site falls under the jurisdiction of the agency that granted the franchise.
Hashcash is useful, perhaps, in stopping spam, which is only worthwhile when sent in the millions. Things protected by CAPTCHA systems, like new email accounts and slashdot posts, tend to be worthwhile to the attacker in thousands instead. The maximum I'm going to tolerate as a user is about one minute of hashing, which works out to 1440 solutions per day ...
Do you think yahoo mail will be happy if a particular blackhat box only registers 1440 new accounts per day? Will you and I be happy if a particular slashdot troll only posts 1440 comments per day? Will an average user prefer sitting there doing nothing for 60 seconds, instead of typing in a few letters in a picture?
Which of the following would be the textual description of the second pic (http://www.videolan.org/pwntcha/goatse-captcha.jp g) for the Cwazymail implementation?
ASSRIPPING
OUCH!
DEARGOD!
I_CAN_SEE_HIS_TEETH
Do you think yahoo mail will be happy if a particular blackhat box only registers 1440 new accounts per day?
By the time a single IP address has generated enough hashcash to create ten new accounts in 24 hours, red flags should go off that this machine is either a spam bot (bad), an open proxy (bad), or an ISP's proxy (which can be verified by a human being).
You suggested asking an easy trivia question, basing your example on traffic law. Watch a computer just build up a database of all the possible questions. In addition, how would a fellow with a red-green color deficiency, who sees "top light, middle light, bottom light" in a traffic signal, be able to answer your question correctly?
There's a perturbed image (aren't they all?) of goatse embedded in possible captcha implementations. Browse carefully.
Reminds me of the old days of slashdot landmines!
why should I spend $10,000 to make my facilities handicap accessible if there is no net profit to me?
Because you run the risk of being fined $50,000 under anti-discrimination laws if you don't.
So, that captcha cuts out those people who have an internet connection AND have no phone AND are blind.
I'm assuming that a TTY connected to a braille wheel counts as a "phone" in your analysis, right?
Firefox too is immune from LastMeasure.
They are just as good at filtering off bots, as at stopping me from registering when I'm drunk.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
a human still has to answer the questions if the computer isn't intelligent enough to know what is being asked of it.
And once humans have fed correct answers for at least 25 percent of the 10,000 questions into the spam bot's database, the computer can handle the rest.
and there's nothing to stop you from expanding the dictionary.
Except human time. It would take nearly as long to build up a spam bot resistant dictionary as it would to moderate comments the old fashioned way.
Taste that smooth and smoother flavor
Zest and sparkle millions favor
"what'll you have?" the answers clear
pour me Pabst Blue Ribbon beer
Thanks to the internet, we can now all die alone together! -SomeWoman
And I just added captcha to the comment posting system on my blog! >_
Oh well, atleast my other antispam measures will still work.
Friend: "The NIC is misconfigured..." Me: "No prob, I'll just telnet in and fix it." *Silence*
Some sites include an "audio" link by the captchya. I believe that it was yahoo I recently visited to download messenging software, and the captcha had an option to listen to an audio clip that would tell you what to enter.
This article about captcha being unnecessary and useless needed to pass one. Does anyone else find that as funny as I do?
I thought about this problem on a recent trip to the urinal and here's what I got.
1) Get (or construct) a large database of nouns of well-known objects (car, orange, bottle, phone, pencil, brick, cup, etc. etc.)
2) Retrieve image references from a (safesearch-enabled) Google image search for a random noun from your database. Pick randomly from the result set.
3) Present images to the user. "These are pictures of a..."
4) My next strategy was to figure out a combinatorial way to increase the number of possible replies so that an attacker couldn't simply create a database of knowns (such as a hash database of images)
What do you smart fellers think? other than google being pissed for scraping their site
A while ago, Slashdot was using captchas so messy that I didn't even know what they said. I'd pretty much always get the "try your reply again" thing, until I sent an email and stopped having to do the captcha. Now, I see they're easier. But still annoying. On yahoo, I fail, oh, lets say, 1 out of 8 times to correctly imput the word. Now, I do have bad vision, but I'm not blind.
It DOES have its problems - members of the Government and police force are suspected of being directly involved in human trafficking, for example - but it is certainly no worse than any other.
To most English, though, Belgium is mostly associated with beer, chocolate and Hercule Poirot. Other than that, the only thing exceptional about Belgium is how utterly unexceptional the country is.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Last I checked, the ADA didn't apply to websites.
Possibly. But section 508 of the Rehabilitation Act does apply to web sites of companies that sell products to the U.S. Government.
ok, you misread. Partly because I spoke poorly.
static singular system = a single snapshot of time from a system.
Try doing Spread-Spectrum Communications when given a singular RF pulse. Tell me who sent what, and what they were trying to say.
Can't be done. But now give them regular modulations and movement, and add a time factor, and you can pick it up.
I am unamerican, and proud of it!
But the spambot could just _pretend_ that it didn't understand.
;-)
Plus you're discriminating against autistic people who can read the steganographic messages in jpg files
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Suggested additional methods of preventing CAPTCHA defeat:
:)
1. Change the instructions so that it isn't always "type these characters". Maybe "type the first three characters", etc. Randomise this element.
2. Use the technique that spammers love: replace characters in your CAPTCHA with similar-looking, but non-standard ones; the word will still be readable, but will foil font-based algorithms.
3. Divide the image into small blocks, cutting across characters, and with randomised cutting points. Display them together on the page, and the user need never know the difference, but a bot is much more likely to choke.
4. Use Javascript to load the image, so that a bot that doesn't process JS won't ever see the image.
5. Better still, load a dummy image in HTML, and overlay it with another in JS. Legitimate users will see the overlaid image; bots will see the original one, and therefore get it wrong in a predictable way, even if they can decipher the graphic. Could be a good way to spot the dodgy user right from the beginning (yes, it would also catch users with JS turned off... but in these days of Ajax, who does that?)
6. Use hieroglyphics rather than alphabetic characters: show a couple of easily recognised icons or pictures, and ask the user to identify them.
7. Trap IP addresses, etc of users that fail the test. Increase the difficulty of the test for IPs that have previously failed.
That's all I can think of for now. I'm sure some of them won't really be workable (and I'm sure the slashdot crowd will gleefully tell me so!), but hopefully there's something useful and new in that lot.
(btw - is it deliberate that CAPTCHA sounds so similar to GOTCHA?)
(Spudley Strikes Again!)
you say, "textual tests would do just as well."
DMCA advocates say, "content protection can stop bad guys without inconveniencing good guys."
Both are flat-out wrong in the real world.
The good news is, you have a potentially bright career ahead of you in politics.
I've been thinking about a good way to defeat Captcha. When the bot sees the captcha image it automatically displays it at a 'helper' site. This site could be some random pop-up from a spyware program that asks the user to then write down the word in the Captcha image. The bot then uses the entry from the Spyware affected person to enter the original website.
I don't need to break any sites myself, but I'm sure that this would work.
Religion for nerds. Stuff that really matters
Mod parent up. The editors must be snoozing. And submitted by anonymous no less.
-Solo
I doubt the article itself was meant as a troll, but it is pretty obvious that it comes from someone in the trolling community. Who else would be so interested in breaking captchas? Maybe spammers, but then again the trolls probably appreciate spamming as it lowers the signal to noise ratio. Or maybe they view each other as competition...
I'll never make that mistake again, reading the experts' opinions. - Feynman
It will be interesting if a blind person does post a comment on my site. I do advocate for the ADA and am a web programmer for a govt. agency where I have to argue against my co-workers using non-ADA compliant content types like PDF, FLASH, POWERPOINT, and MS Word docs on our web sites. I think that for a blind person, the internet can really expose them to a lot of stuff that's difficult to interpret in hardcopy.
So, I'm not saying that the visually impared are unwelcome on my personal website. It's just that I've made a judgement call between suffering comment spam and excluding a minority of people who would ever be interested in the stuff on my website. Similarly, I was plagued by Brazillian script kiddies attacking my server, so I put firewall rules in place that block all connections from Brazil. Just to save bandwidth, I also eliminated connections from Australia, China, Taiwan, and a few other countries. My website is about skateboarding in Austin, and the intended audience isn't really people in those countries. This may seem like an arbitrarily unfair case of discrimination on my part, but that's my right as an independent internet publisher.
Seth
$5 / month hosted VPS on linux = awesome!
Funny the newer captchas are easier for me to read. They use to be illegible.
You'd be hard-pressed to find an optical illusion that works on a computer screen and generates something human-readable, though I can think of one that might---the use of negative space. Alternate between positive and negative space to generate letters. Of course, this still can be figured out by more sophisticated use of statistics, and still falls into the category of color variation, albeit a more subtle variation of it....
Other optical illusions (dot patterns and "tell me what image pops out") fall into the same category as the homonyms---that the problem space is limited. Now if someone could come up with a mechanism to take arbitrary photos, determine the most critical lines, and convert those into dot-pattern illusions in an automated fashion without human intervention, then the entire world-wide web could be the problem space, using google's image search for random words out of a dictionary.
Of course, again, you'd sometimes have problems where the words wouldn't match what you were really seeing, and more importantly, if someone could figure out your source dictionary, one could still reverse-engineer the problem space... it would just take a lot longer and require a lot more storage and bandwidth. You -might- be able to make it impractical to do, although probably not impossible... and maybe that would be good enough. I'm not sure..
Of course, once we get holographic storage, even that approach is pretty much screwed. Once you superimpose two copies of the image with a relatively trivial 3d transform, you will make the image stand out. Then do some statistical analysis to separate the image from the noise and feed that to holographic storage, which will them essentially tell you the locations of the images most closely matching. Expect Google to do this sort of image matching by 2010 or so, as it is the obvious next step in search technology. At that point, you'd be able to fully reverse even something as extreme as the above....
Check out my sci-fi/humor trilogy at PatriotsBooks.
This article is a fraud. No source is presented, and goatse.cx is displayed in the examples. This whole thing was contrived just to get goatse.cx in a legitimate front page post. Best troll in years.
this sig limit is too small to put anything good h
Obviously, the article's author is Sam Hocevar, also known as Gary Niger. He's French, which explains the rabid anti-semitism and the facination with gaping assholes that is the GNAA. Do a google search for gnaa.txt, and you'll have his home directory. It looks like he's well on his way to defeating the new Slashdot captcha.
The real path to male liberation
In other news, here's the world's most secure captcha (as seen on this page), and here's the world's sickest captcha (as seen on Google).
It's funny because looking at a number of the comment regarding escalation, it is obvious (to me) that in the very near future,5 or 10 years at most, that you can have automated systems that will be equal to or out perform most people on most tests.
If (When?) that happens all of these tests will be worse then useless. There must be another, better answer established that will allow for anonymous verification of people. I don't know what that better method is but more of the same is not going to do it.
I mod everyone down who says "I'll get modded down for this." I hate to disappoint.
What he really means is, "I made all this up. I didn't really write any code. If I did, I would have published in a scholarly journal and would gladly show you the code." That's how I read it, anyway. What the hell does he care if people break CAPTCHAs?
In other news, I've solved every known open mathematical problem. Unfortunately, I can't publish the information because I don't want terrorists to get it.
Riiiight.
My other car is first.
There is a not so distorted goatse image about 3/4 of the way down the page. Beware.
As the Belgians are the inventors of French fries (they should in fact be called Belgian fries!), deal with the fact that they probably know how to handle fries correctly. I myself don't like either ketchup or mayonaise on my fries, just a little salt.
> Is "Belgium" just a funny word?
Well, say it a few times. Does it _sound_ funny? Think about whether it sounds funny, while you're saing it, repeatedly. *Now* does it sound funny?
(This trick works with most words, BTW.)
Actually, the real issue with the word "Belgium" is that Douglas Adams wrote things about it that could be interpreted as disparaging, so all real geeks have to think it's a bit off, or they lose their geek card.
Cut that out, or I will ship you to Norilsk in a box.
GNAAtcha!
Thanks so much...
/.: why the hell am I here?