Slashdot Mirror

← Back to Stories (view on slashdot.org)

Web Users Angered by Anti-Spam 'Captcha'

Posted by ryuzaki0 on from the web-user-smash dept.

Carl Bialik from WSJ writes "Captchas -- the jumbles of letters that users must type to gain access to some websites -- are a growing irritation, the Wall Street Journal reports. But programmers hope to make new variations that are both easier to decipher and harder to crack. From the article: 'Some captchas have been solved with more than 90% accuracy by scientists specializing in computer vision research at the University of California, Berkeley, and elsewhere. Hobbyists also regularly write code to solve captchas on commercial sites with a high degree of accuracy. ... Henry Baird, a professor of computer science at Lehigh University who studies PC users' responses to the codes, has been working with colleagues to develop new generations of captchas that are designed to be easier on humans but baffling for computers.'"

23 of 267 comments (clear)

  1. What? by Alex+P+Keaton+in+da · · Score: 4, Funny

    I couldn't read the article. They wanted me to type CapTcha. Or was it Cap7cha? Oh well?

    --
    And All I Ask is a Tall Ship And a Star to Steer Her By
    1. Re:What? by deesine · · Score: 4, Informative

      What gets me in the inconsistent use of case sensitivity. About 20-30% fail for me because of this.

      --
      damaged by dogma
  2. To read this comment enter the text by LiquidCoooled · · Score: 5, Funny

    HOT GRITS

    I prefer kitten auth.

    --
    liqbase :: faster than paper
    1. Re:To read this comment enter the text by saifrc · · Score: 3, Interesting

      There's a geographic/cultural/educational problem with KittenAuth -- what if you're not familiar with kittens? Or foxes? What if you've never seen real cattle? These situations are not as rare as you might think, and certainly not invalid. I personally would have had a little trouble identifying the foxes on the KittenAuth page, were they not highlighted with a red border.

      I think it's a step in the right direction, though. It's an interesting insight into what human memes can be considered universal.

    2. Re:To read this comment enter the text by Qzukk · · Score: 3, Interesting

      Basic image comparison techniques are pretty easy to fool. Change one pixel and the entire image hashes to something else. Some "dupe detectors" reduce the image to a grid of n*m, take the average color of each square, and hash that. This can be defeated by changing the color of a significant block of pixels to a random color, though this would need to be arranged based on the picture itself so you don't hide the kitten.

      That still leaves things like manually capturing every possible unique base kitten image, then doing a pixel-by-pixel comparison and marking everything mostly matching as a kitten. It can be slowed down by changing the brightness or tint of the overall image slightly, but too much would make the image unrecognizable.

      It would be more interesting to combine several ideas. Rather than "click on the kitten" have each picture marked with a random letter, and "enter the letters of the pictures with kittens". Or maybe change it up, pick brown kittens or black kittens or white kittens, kittens playing with a ball, etc.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
  3. Image Key Sets & Dynamic Captchas by eldavojohn · · Score: 4, Informative

    I had heard once of a very cunning strategy around captchas. I'm not sure if this is true but there is a story of a p0rn site making large sums of cash by selling key sets to the images. Certain sites would not dynamically generate images but instead rely on sets of images with protected keys as a captcha.

    In order to use the p0rn site he ran, you had to either pay money or spend time identifying captchas. He would then store them in a database and match it up with a checksum of the image. When he had completed a site's captcha key set, he would sell these lookup tables to anyone with money.

    All they then had to do was write their program to do a checksum of the image (or the image itself if he had stored it) and then plug the word from the database into the page for verification.

    With the introduction of splashers that spatter the statically stored images with lines or dots, the image is stored and a something like an edit distance is applied to it to find the closest match. Once that is accomplished, it references the keyword out of the database. You turn up the splasher and you risk the user not being able to figure out the word.

    It seems that evil always finds a way. This is why captchas should always be dynamically generated on the fly from a very large dictionary! Check out Securimage for PHP.

    --
    My work here is dung.
    1. Re:Image Key Sets & Dynamic Captchas by Nos. · · Score: 3, Interesting

      I spent some time working on an alternative to captcha, I call AOMIS. http://aomis.net./ I haven't had a chance to work on it for a while, but the basic idea was, provide a piece of media, the user must identify the content.

      In most cases, it would be an image. So, I might show you a picture of an elephant, and to submit the form, the user would have to enter 'elephant' into the box. Each image would have a number of correct answers to account for common spelling mistakes, and the most common correct responses. Its built to handle multiple languages, and different types of media. Thus, you could use audio files for the blind. Audio files could ask a simple question "What is two plus two" or such.

      Now, to deal with checksums, each piece of media is regenerated dynamically on a regular schedule, for example, changeing one or two pixels on an image is probably not noticeable to a person, but changes the checksum, making it impossible to catalog the database.

      I just wish I had the time to get it to a point where people could start trialing it.

    2. Re:Image Key Sets & Dynamic Captchas by odyaws · · Score: 5, Interesting
      In order to use the p0rn site he ran, you had to either pay money or spend time identifying captchas.
      I saw a talk recently by Luis von Ahn, one of the inventors of the captchas. There were two interesting ways he said people were getting around captchas. One was a real-time approach similar to what you describe. Rather than storing a big database of these things, the bot that was signing up for email addresses or whatever would, upon encountering the captcha, sent that image off to someone browing the porn site (posing as a legitimate captcha - "We need to verify you're a person and not some bot stealing our porn for another site"). In order to continue browsing, the user would have to solve the captcha. Naturally they tend to do this very quickly and accurately :)

      The second approach was simply to set up captcha solving sweatshops somewhere in Asia with cheap labor, with people paid a few cents an hour to sit and solve captchas all day. This brought the cost of a new email address up to something like 1/3 cent, which for many spammers is still a viable price. The cost does limit this approach, though, so the captcha still helps.

      The interesting thing about both of these strategies is that they use humans to solve a problem that is difficult for computers, which is von Ahn's research area - he's also one of those behind The ESP Game (caution - this can be shockingly addictive). There's essentially nothing that can be done to defeat either approach without also making a system a huge pain in the ass for legitimate users. From this point of view, spending time trying to come up with more advanced captchas is kind of pointless.

      --
      Still trying to think of a clever sig...
  4. 90% accuracy? Not bad. by joshv · · Score: 4, Funny

    "Some captchas have been solved with more than 90% accuracy by scientists specializing in computer vision research at the University of California, Berkeley, and elsewhere."

    Hell, that's better than my average. They are getting so cryptic, it seems I get them wrong about 25% of the time these days.

    -josh

  5. I often fail those Turing tests by Bromskloss · · Score: 3, Funny

    ..a script might do better.

    --
    Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
  6. Different method entirely by Volante3192 · · Score: 5, Interesting

    Just throwing this out, but maybe there should be a very basic question asked instead? Since these already presume literacy, maybe something like:

    Which of these is a number: A 2 R P?

    Seems that regardless of what they come up with there's going to be some part of the population that won't figure it out anyway, and if the whole point is to confuse auto-registerers, then I'd think it'd be harder for those to account for every possible question and answer set.

    (Yea, it's in TFA, but mentioned like an aside...)

    1. Re:Different method entirely by 93+Escort+Wagon · · Score: 5, Funny

      "Which of these is a number: A 2 R P?"

      Or, even better, put it to music - and add a time limit!

      "One of these things is not like the others,
      one of these things just doesn't belong.
      Can you tell me which thing is not like the others,
      before I finish this song?"

      --
      #DeleteChrome
  7. captchas discriminate against the blind by Speare · · Score: 4, Interesting

    The captcha concept breaks down if the user can't see the image, either through the limitations of their browser (links) or the limitations of their eyes. A US government site would have a hard time justifying captcha in light of their legal and moral responsibilities to the disabled citizenry.

    --
    [ .sig file not found ]
    1. Re:captchas discriminate against the blind by Rob_Warwick · · Score: 5, Funny

      Which is why you should /always/ use proper alt tags!

  8. captcha isn't that bad.... by Sancho · · Score: 4, Insightful

    ...unless you are blind. Some sites have alternate audio versions for the vision-impaired, but it's still a problem.

    And even if you aren't blind, I've run into many a captcha that I couldn't decipher. Poorly designed sites may delete the entire content of your post if you fail the captcha, but I guess that's a design issue for another topic.

  9. News for Nerds? by Silver+Sloth · · Score: 3, Informative
    There's not much here, it's written in the WSJ which means it's in language that my mum would understand, and has precious little in the way of hard facts. For those who can't be bothered to RTFA,
    1. There are things called 'Captchas'
    2. People don't like them
    3. Computers are getting better at cracking them
    4. Some boffins are trying to make new ones which people like and computers don't
    Really, that's all there is.
    --
    init 11 - for when you need that edge.
    1. Re:News for Nerds? by Red+Flayer · · Score: 5, Interesting

      And yet, the discussion of the article will prove to be much more illuminating than the article.

      What's wrong with an article being a spark for more in-depth discussion? How else are things rarely discussed in the media and never in depth (like most tech topics) going to be discussed on slashdot?

      Sure, I know this post (and the parent) are off-topic, but it bugs me when people think that the purpose of slashdot is just to accumulate articles... that's what RSS feeds are for.

      The discussion is what keeps me coming back, and typically, no matter how moronic the article is, there are several posts that give the kind of information that I wish was included in the article (but isn't). At the very least, people provide links to more comprehensive information and/or discussion of the issues concerned.

      --
      "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  10. Re:90% accuracy? Not bad. by aztec+rain+god · · Score: 5, Funny

    Not sure if cryptic is the right word

    --
    Sig cannot be found.
  11. The human factor by Rob+T+Firefly · · Score: 4, Funny
    I wondered at the possibility of using a system that would require human intervention rather than AI for some simple reason of observation, like "Type the color of this person's eyes" next to a JPEG. The only downside, is you have to trust the average Internet user's ability to type "blue," so of course that plan goes out the window.

    If I wanted to be really sadistic, I could instead present site readers with a sentence, in which they have to fill in either "their," "there," or "they're."

    --
    Slashdot Burying Stories About Slashdot Media Owned
    1. Re:The human factor by CohibaVancouver · · Score: 5, Funny
      If I wanted to be really sadistic, I could instead present site readers with a sentence, in which they have to fill in either "their," "there," or "they're."

      Your a looser for even sugesting such a thing!

  12. Re:Not the point by Rob+T+Firefly · · Score: 4, Insightful
    But for your average site, the captcha just has to be "good enough" such that someone won't bother to write a crack to spam a small fish.

    The paradox is, if a site has one that works really well for them, other sites will want to use it as well. As other sites use similar or identical systems, it becomes exponentially more beneficial for crackers to crack. So, as soon as something's good enough to use, it becomes good enough to crack.

    --
    Slashdot Burying Stories About Slashdot Media Owned
  13. Server in the Middle by Doc+Ruby · · Score: 4, Interesting

    Captchas are not hard to crack, now that someone has produced my favorite crack strategy. A "man in the middle" attack server hits pages with captcha challenges. That server advertises a "free porn" website, presenting to its human audience the captchas it hit. The porn seeking humans decode and enter the captchas, get the porn (or not), the server sends their entries to the original captcha page, and gets past them as often as humans seeking porn would. There's so many humans seeking porn that the middleman transactions happen in realtime, indistinguishable from direct human responses to the original captcha.

    This is v1.0 of the Matrix, where human brains are harnessed to solve problems by a more powerful and wise, though less "intelligent" computer network.

    --

    --
    make install -not war

  14. Captcha is a nice idea but... by erroneus · · Score: 4, Insightful

    ... it is annoying for users. Sometimes I get it wrong because I can't tell if the captcha technique they are using is case sensitive and I can't always tell the case of the character! Sometimes a lower-case L can be confused for a number 1 or vice-versa. So yeah, it's REALLY annoying.

    HOWEVER. A short and simple multiple-choice or true-false quiz might determine with some level of accuracy if the poster is a person or not. Simple stuff like a random image of a sheep, a lion, a bear or a whale with a radio button selection below it. It's easy to run through, it shouldn't require much skill from the user and has the potential to confuse interpreting software a lot more.

    This approach could also even be ENTERTAINING to the user in that funny pictures could be used in the image interpretation drill. Such questions could be "Is this person having a good day?" and you can put all manner of interesting images in there for a true-false scenario. Being an entertaining method will definitely win fans. Being tedius, stressful and mistakable will lose fans.