Slashdot Mirror
Will Solve Captcha for Money?
alx_lo writes "Captchas are a nice idea to protect your blog or guestbook from being spammed by robots.
But what good is this protection when you can hire "data entry specialists" to solve captchas for $0.60 per hour for 50 hours a week?
Anyone here who can think up a solution that does not include drastically changing the global economy? How about captchas that require cultural background knowledge to solve?"
I admin a PHPBB-based forum and the spam (from bots) was getting out of hand. They were going through the built-in CAPTCHA with no problem. The solution ended up being that I had to modify the registration form so that it wasn't just the default form. Throw a couple of oddball questions on the form, make them required, and bots can't deal with it since the bot script can't account for deviations from the norm.
Transistors and Beer!!
Yesterday, I saw a presentation by Dr. Luis Von Ahn (developer of the ESP Game, and other CAPTCHA type games). He claimed that spammers and porn companies are willing to pay about $2.50 an hour for 720 CAPTCHAs an hour, or about 1/3 cent per CAPTHCA. (The CAPTCHA solcing is needed to create more free email spamcounts.) I don't know why people would solve them for so much less...
Kitten authentication! It's perfect! Identifying small, cute, furry animals needs a basic cultural background in animals common to the West, but at the same time requires little or no intelligence (plus, it's fun!).
Try it out at http://www.kittenauth.com/node/5. It's currently being rewritten; if you can't see any animals the first time, click 'submit'.
What's purple and commutes? An Abelian grape.
It looks as if most spammers operate in two phase: first they collect valid guestbook URLs, and then, several weeks after, they spam those. Probably it's not even the same people doing both phases, the first could be selling lists to the second.
So, a couple of weeks ago, I moved my guestbook to another URL, and since then, I've got almost no spam (only 3 spams in 4 weeks, versus more than 10 per day before...). And apart from a simple keyword filter, the guestbook has no other protection (i.e. no captcha whatsoever).
So the real problem is coming up with CAPTCHAs in real-time with no permanent (this session ID) correlation made between the image link and the answer. Then hiring "slave labor" to make this mapping for you will be completely useless.
Yes and no - That solves the problem of precreated CAPTCHAs, by throwing CPU time at it, but the FP's complaint doesn't actually involve what CAPTCHAs solve.
CAPTCHAs, if effective (which a market for human solvers suggests), only prove that a human has responded. If a human solves it for pay on behalf of a spammer - The CAPTCHA worked perfectly. Virtually every suggestion on this topic has missed that key point. Using culturally-dependant information, or judgements of aesthetics, or awkwardly-phrased audio clips, or even time-wasting math problems, all still just prove that a human answered the question.
The real problem here involves the misuse of CAPTCHAs by those who assume they do something which they don't. They don't weed out "undesireables". They weed out non-humans. It really doesn't matter how complex you make them; if a human can solve it, you still have the same underlying flaw - Namely, that we have a HUMAN enemy in this battle.
Instead, we need to exploit a human vulnerability - Mortality. We need to hunt down spammers and kill them, slowly and painfully. We need to torture their wives and kids in front of them, then string the lot of 'em up in town squares as an example to others. We then need to hunt down all the companies funding these spammers as a form of advertising and castrate their boards of directors.
Or better yet, we need to trick them into running P2P nodes and let them and the RIAA weaken each other to the point that we can easily eliminate the winner.
Try getting a decent calculator, like a TI89/92 or an HP 48G+ (I have the latter). They do symbolic math just fine, and can thus give you exact answers.
A captcha-hater need only load the ROM from one of these calculators into an emulator, copy the ROM and emulator to each of the computers, and train the worker in how to enter the calculations.
tasks(723) drafts(105) languages(484) examples(29106)
The spammers already figured out the solution to every kind of captcha. They set up a free porn website where you have to solve captchas to get the hawt pr0n. Since there are people in every culture that want porn, you'll have trouble making a cultural captcha to fight this.
The method I learned in school was this one; we had a sixth grade math teacher that used to refuse to allow us to use calculators, so we had to solve square roots by hand and such. There's a similar method for cube roots as well. Linkage: http://www.nist.gov/dads/HTML/squareRoot.html.
So the real problem is coming up with CAPTCHAs in real-time with no permanent (this session ID) correlation made between the image link and the answer. Then hiring "slave labor" to make this mapping for you will be completely useless.
No, that won't work. The spam-computer is in the US, probably a bot-net drone. It automatically visits the blog to be spammed, and captures the CAPTCHA. It now sends this to the Indian, whom within 30 seconds types the correct answer, and this is now inserted on the page, and the comment is submitted - all within the same timeframe a human would need.
Imposing a very short timeout would make it harder on the bad guys (and the good guys...), but it would merely be an annoyance. Any AJAX2.0 magic you can think of, they can fake.
Square roots that result in a positive integer below 100 are easy. To get the tens place, just remember the squares of the numbers 0-9, divide the number by 100 and see which one it's closest to. To get the ones place of the sqaure root, use the ones place of the squared number (a 1 means 1 or 9, a 4 means 2 or 8, a 9 means 3 or 7, a 6 means 4 or 6, a 5 means 5 and a 0 means 0). So, for example, 3844. 38 is between 36 and 49 and is closer to 36, so the tens place is 6 and the one's place is below 5. And because it ends in a 4, the ones place has to be a 2.
My family used to use this as a game to play in the car...someone would square a number and then the first person to shout out the answer got a point. Then they'd square a number and then game would continue like that until we got to some pre-determined score. Worked well until I was 8, got bored with the game and started throwing out numbers that weren't perfect squares. I tried to get people to move on to cubes and 4th power numbers, but no one else could figure them out anywhere near as well as I could. So then we moved on to the game where someone would spit out a date and we'd have to name the day of the week to get the point.
And yes, my entire family are a bunch of geeks...