Slashdot Mirror
Web Users Angered by Anti-Spam 'Captcha'
Carl Bialik from WSJ writes "Captchas -- the jumbles of letters that users must type to gain access to some websites -- are a growing irritation, the Wall Street Journal reports. But programmers hope to make new variations that are both easier to decipher and harder to crack. From the article: 'Some captchas have been solved with more than 90% accuracy by scientists specializing in computer vision research at the University of California, Berkeley, and elsewhere. Hobbyists also regularly write code to solve captchas on commercial sites with a high degree of accuracy. ... Henry Baird, a professor of computer science at Lehigh University who studies PC users' responses to the codes, has been working with colleagues to develop new generations of captchas that are designed to be easier on humans but baffling for computers.'"
I couldn't read the article. They wanted me to type CapTcha. Or was it Cap7cha? Oh well?
And All I Ask is a Tall Ship And a Star to Steer Her By
HOT GRITS
I prefer kitten auth.
liqbase
I had heard once of a very cunning strategy around captchas. I'm not sure if this is true but there is a story of a p0rn site making large sums of cash by selling key sets to the images. Certain sites would not dynamically generate images but instead rely on sets of images with protected keys as a captcha.
In order to use the p0rn site he ran, you had to either pay money or spend time identifying captchas. He would then store them in a database and match it up with a checksum of the image. When he had completed a site's captcha key set, he would sell these lookup tables to anyone with money.
All they then had to do was write their program to do a checksum of the image (or the image itself if he had stored it) and then plug the word from the database into the page for verification.
With the introduction of splashers that spatter the statically stored images with lines or dots, the image is stored and a something like an edit distance is applied to it to find the closest match. Once that is accomplished, it references the keyword out of the database. You turn up the splasher and you risk the user not being able to figure out the word.
It seems that evil always finds a way. This is why captchas should always be dynamically generated on the fly from a very large dictionary! Check out Securimage for PHP.
My work here is dung.
I have a patent on it, of course...
Running Windows^H^H^H^H^H^H^H OSX and Linux in the home. (I don't have time for Solitaire any more.)
"Some captchas have been solved with more than 90% accuracy by scientists specializing in computer vision research at the University of California, Berkeley, and elsewhere."
Hell, that's better than my average. They are getting so cryptic, it seems I get them wrong about 25% of the time these days.
-josh
..a script might do better.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
Just throwing this out, but maybe there should be a very basic question asked instead? Since these already presume literacy, maybe something like:
Which of these is a number: A 2 R P?
Seems that regardless of what they come up with there's going to be some part of the population that won't figure it out anyway, and if the whole point is to confuse auto-registerers, then I'd think it'd be harder for those to account for every possible question and answer set.
(Yea, it's in TFA, but mentioned like an aside...)
The captcha concept breaks down if the user can't see the image, either through the limitations of their browser (links) or the limitations of their eyes. A US government site would have a hard time justifying captcha in light of their legal and moral responsibilities to the disabled citizenry.
[
...unless you are blind. Some sites have alternate audio versions for the vision-impaired, but it's still a problem.
And even if you aren't blind, I've run into many a captcha that I couldn't decipher. Poorly designed sites may delete the entire content of your post if you fail the captcha, but I guess that's a design issue for another topic.
- There are things called 'Captchas'
- People don't like them
- Computers are getting better at cracking them
- Some boffins are trying to make new ones which people like and computers don't
Really, that's all there is.init 11 - for when you need that edge.
As usual, the problem is approached from the wrong direction. When the dam bursts and the floodwaters cover the town, it's a waste of time to develop bigger and better waders. The correct thing to do is repair the dam. So instead of developing ever more elaborate ways to handle the spam flood, just shoot spammers. Put a cash bounty on them, dead or... dead. Problem quickly solved.
we will end no whine before its time
Not sure if cryptic is the right word
Sig cannot be found.
Just as the point of DRM isn't to be completely bullet proof (there's always the analog hole), the point of a captcha is to be enough of a nuisance that someone doesn't spend the time to crack it. Obviously, for a site like Yahoo and it's zillions of sites, it pays to spend time breaking the captcha. But for your average site, the captcha just has to be "good enough" such that someone won't bother to write a crack to spam a small fish.
Sometimes it's best to just let stupid people be stupid.
If I wanted to be really sadistic, I could instead present site readers with a sentence, in which they have to fill in either "their," "there," or "they're."
Slashdot Burying Stories About Slashdot Media Owned
One of the things that I'm watching in the error logs of SpamOrHam (web site where volunteers sort messages into spam and ham) is the error rate on the CAPTCHA used. Ignoring what appear to be automated attempts bruteforce the CAPTCHA I see an error rate of around 20% of 100,000s of CAPTCHA's.
That's amazingly high. 1 in 5 CAPTCHA's are incorrectly entered by humans doing their best to do the right thing.
No wonder people get mad at them.
John.
Captchas are not hard to crack, now that someone has produced my favorite crack strategy. A "man in the middle" attack server hits pages with captcha challenges. That server advertises a "free porn" website, presenting to its human audience the captchas it hit. The porn seeking humans decode and enter the captchas, get the porn (or not), the server sends their entries to the original captcha page, and gets past them as often as humans seeking porn would. There's so many humans seeking porn that the middleman transactions happen in realtime, indistinguishable from direct human responses to the original captcha.
This is v1.0 of the Matrix, where human brains are harnessed to solve problems by a more powerful and wise, though less "intelligent" computer network.
--
make install -not war
... it is annoying for users. Sometimes I get it wrong because I can't tell if the captcha technique they are using is case sensitive and I can't always tell the case of the character! Sometimes a lower-case L can be confused for a number 1 or vice-versa. So yeah, it's REALLY annoying.
HOWEVER. A short and simple multiple-choice or true-false quiz might determine with some level of accuracy if the poster is a person or not. Simple stuff like a random image of a sheep, a lion, a bear or a whale with a radio button selection below it. It's easy to run through, it shouldn't require much skill from the user and has the potential to confuse interpreting software a lot more.
This approach could also even be ENTERTAINING to the user in that funny pictures could be used in the image interpretation drill. Such questions could be "Is this person having a good day?" and you can put all manner of interesting images in there for a true-false scenario. Being an entertaining method will definitely win fans. Being tedius, stressful and mistakable will lose fans.
In response to the people asking about animated gifs, I think they could be algorithmically defeated. However, what about something requiring mouse movement? For example, using a mouse gesture as an unlocking code. A text (or audio) cue to the user to do something with the mouse. The above wasn't my first thought after answer the animated gif question. But if follwed from the first thought; instead of animated gifs, what about the Apple Quicktime things that allowed you to move the mouse to view a 3d scene? The entire scene wouldn't be visible and would require mouse movement to view the scene enough to answer the question. Obvious problems- hard to generate. But a mouse gesture based unlocking? Isn't that doable?
Let's say you have your super-duper captcha generator where no two are ever alike, and thus can't be indexed. Let's say I also want to crap-flood you with automated posts linking to my product, or just site I want brought forward on Google's index. Think you're safe?
Hell, let's use Slashdot as an example, since everyone has seen the captchas here.
It works like this: I'll set up a porn site all right. Gets people's interest easier than anything else. I promise some free porn, or heck, even some links to other thumbnail galleries, but make people go through a captcha each time. Except it's _your_ captcha. Consider the following sequence:
1. Random J Hornyguy wants to see the porn. He makes the request that'll give him the captcha page.
2. My server automatically makes a request for a message posting form on your site. (Think simulating clicking on a "Reply To This" link on Slashdot as Anonymous Coward.) Your server gives me the form, complete with session cookie, etc, which I store, and also a captcha. Ah-ha. Guess what I do with that captcha...
3. Random J Hornyguy finally gets his login page, complete with the captcha I just got at step 2. Which he mutters a bit about and finally fills in as plaintext and submits.
4. I now finally submit my post to your site, complete with the captcha text that Random J Hornyguy dutifully filled in for me.
5. If that doesn't go through, I'll make another request and politely ask Random J Hornyguy to try again. (I'm userfriendly, eh?) If it went through, I'll also let him see the porn. After all, I'll want him to come again later and do some more free work for me, so no use annoying the hell out of him. But if I'm an evil SOB and have an endless supply of suckers (e.g., a spamming or phishing operation reeling in the suckers), I might tell him that he typed wrong anyway, and see how many can I get him to solve before it dawns upon him that there's no reward and he can't ever get past the captcha.
Note that at no point this relied on you having a repeating set of images. My site just acted as a captcha proxy between yours and a human sucker, in real time.
Sure, it needs a bit more work coding it like that, but not much more. (I'd have to store the session, recognize links, simulate form responses, etc, anyway if I want to automatically crap-flood your site.) And it'll keep working no matter how you alter your captcha generator, as long as it's still readable at all by a human. And if I have enough users, I can add modules to automate that captcha proxying for several site: each user randomly gets to break the captcha for another site, so the crapflooding is more distributed instead of swamping one site solid.
Also note that a lot of sites, Slashdot included, only make you use the captcha once, when you create or log in a user. If you choose to get a permanent cookie, you can post thousands of posts without ever seeing a captcha again. So I don't have to rely on you reusing captchas, if I create a new user for each one my users solved for me and store the permanent cookie. Since each such user can post more than once before the site admins catch on to it and ban the user id, I can generate a lot more crapflood posts than I get users solving captchas for me.
(Or maybe I won't crapflood some message board, but generate ids to free mail accounts and send spam from that. Again, that escalates quite nicely. As long as you don't require a captcha for every single bloody email a legit user sends, I can send thousands of emails per captcha solved by some Random J Hornyguy. And when that user gets banned, some other Random J Hornyguy will solve the next captcha for me.)
So, to wrap this long rant up, TFA just made me go "didn't it ever occur to these people that they're doing a brilliant technical solution, but it solves the _wrong_ problem?" It's such a tunnel view of the problem, it ranks up with MPAA's being surprised that people tell their friend whether a movie was good or bad. It's the typical "idiot savant"
A polar bear is a cartesian bear after a coordinate transform.
Basic image comparison techniques are pretty easy to fool. Change one pixel and the entire image hashes to something else.
Change one pixel and the peaks of the Fourier transform of the image remain mostly the same. It's the same reason one can hear a tone above white noise.
Some "dupe detectors" reduce the image to a grid of n*m, take the average color of each square, and hash that.
Which is the same as using only the low-pass parts of the Fourier fingerprint.
This can be defeated by changing the color of a significant block of pixels to a random color, though this would need to be arranged based on the picture itself so you don't hide the kitten.
To defeat this, use a short-time Fourier transform or a sharpen filter to detect areas with abnormal spatial-frequency properties, and reject those from the comparison before taking the Fourier transform.
That still leaves things like manually capturing every possible unique base kitten image, then doing a pixel-by-pixel comparison and marking everything mostly matching as a kitten.
That would just increase or decrease the DC component of the picture, again trivial for a Fourier based detector to rule out.
My own weblog was recently hit by comment spam. I was extremely irritated, and initially considered captchas as a potential solution. But several problems with captchas ultimately lead to me seeking alternate solutions.
The first problem with captchas is the barrier it puts up, however small, between you and the users of your site. Apologies for the corney analogy, but captchas are a speedbump on the information superhighway. People hate running into them.
The impediment to visually disabled users is also a big one to consider. It's not just fully blind people. People can be shortsighted, colour blind, dyslexic or perhaps simply shortsighted users relying on specialist software to read your website. You're letting these people down by adopting this practice and that's something I would really feel bad about doing.
But the biggest reason not to use captchas is spammers increasing abilities to interpret them. At even a five percent success rate in interpreting captchas, a spammer can bombard your site with requests and still get something through. They're just using the same model as they did with email, and it will work.
Instead I chose some other plugins available for Wordpress to help with the spam. Akismet sounds like it could work as a kind of distributed spam check/blacklist of sorts, though I am wary of the fact that a private company is running the service. I also installed Bad Behaviour, though it's clear that eventually some spammers will adapt their behaviours to this.
Ideally what I'd like is a true bayesian comment spam filter plugin for wordpress, but so far I haven't been able to find one. Such filters have done wonders for me in Thunderbird for my email spam, with something like a 99.99% sucess rate and no false positives. Clearly the situation is quite different with comment spam, but all the same it would be nice to have one.
I envisage that the comment spam situation will get a lot worse as time goes by, regardless of any pagerank type algorithm changes. Comment spam will no doubt become as ubiquitous as regualar spam and I can forsee dozens of "splog" post per day in the not too distant futre. My opinion is that Blog software should come with robust, adaptable and self updating anti-spam software on by default before this problem escalates out of control.
May the Maths Be with you!
I got one from LinkShare once that said "r A p e." It was pretty disconcerting. I should have taken a screenshot.
> How do computers do fare against Ishihara colorblindness tests?
I've never heard of a colorblind computer.
Done with slashdot, done with nerds, getting a life.