Slashdot Mirror
Evolution of the 'Captcha'
FireballX301 writes "The New York Times is running an article about the small word puzzles various sites use in order to defeat automated script registration while still letting humans through. It seems many people can't actually solve them anymore, so new alternatives (image recognition) are being created. This, of course, seems breakable as well — is there a feasible alternative to the captcha, or are we stuck jumping through more and more hoops to register at places?"
As a Christian fundamentalist, I cannot in good conscience believe that catchpas have evolved, yet at the same time since I can never figure out what to type to make them work, I cannot believe any intelligence was involved in their design.
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
The other day I saw a system that posed the question:
'Germany is a country in Africa?'
Your duty to prove you were human was to change it to the proper continent and the question mark to a period. Seems pretty fool proof, especially if you combine it with things like "and make 'country' all capitals."
In my mind, anything that can be put out by an automated system for purposes of determine whether the communications on the other end is from an automated system can, with enough ingenuity, be answered by an automated system. IOW, all 'captchas' and similar methods are ultimately defeatable. It's an arms race, just like DRM: clever people will always figure out how to defeat what protections you put in place no matter how clever your protections are.
My blog
What word did you have to type to prove you weren't a bot? A good sample might give us an insight into which words are used: why? I had to type 'interest' - which seems to have no real distinguishing feature.
Are they chosen for any good reason, or are they completely arbitrary? Are there letters that bots have trouble with? Fonts? Who knows?
The only thing that's sure is that every protection will eventually be broken.
What's more, maybe if you can't solve a simple word puzzle, I don't want you registering at my site...
There are 10 kinds of people in this world: those who understand binary, and nine other kinds of people.
Ask the user to perform a task that only a computer is likely to succeed at, like factorizing a 6-digit number. If the user gives the right answer, and this is the cunning part: Then it's not a human!
MAN, I feel clever some times.
Why not just ask actual questions?
Big db of easy questions, sets of which are rotated often.
They are quite hard to read, but they are also always real words. So I can easily narrow it down.
Unfortunately, that also means a bot armed with a dictionary might be able to do the same- ^H^H^H^H^H^H^H^H
B uy your v*|*g*r*4 here! Ch3ap!
We recently heard (someone else will post the link) that scanned books would be used for an experimental captcha program since machines aren't picking everything up. So I guess there's still differing opinions here ...
Mongrel News all the news that fits and froths
OK, I am a bit shrotsighted, but still, some of the captcha are so garbled with bright color random pixel/forms while the font color of what was to be read was light gray/pink/blue on white background (and naturally distorted) that frankly I swore loudly while trying for the 5th time to enter the correct random combo of lower case, upper case and digits.
I am not sure if a picture is better, but it is defintively a step forward if I don't have to spend 5 time retrying.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
I find some of the most cryptic captchas on the ticketmaster site. granted that the site deserves a stringent bot control given the risk of scalpers but some of their patterns border on the ridiculous. TFA mentions someone who achieved 25% success in deciphering those ticketmaster ones and I am thinking, "how does he do that?!"
My sig has been answered.
um... I don't know where you've been registering, but the ones I usually see are something like
JCMS5IK
I don't really mind them, except when they use I's, 5's, s's, 1's or l's, I've also seen a few that are case sensative and use m's or something like that.
Some are getting better by not using those characters, while others are getting worse and for everytime you get it wrong they give you a new one... sometimes you just have to keep hitting refresh till they give you a decent one.
OTOH, some now also use a short audio clip pronouncing the letters... (I believe facebook is doing that, I may be wrong though)
~/.sig: No such file or directory
I always get annoyed by captchas.. its like a forced human intelligence test.
We know that humans are more intelligent than scripts, so I always thought it should be easier to test the lack of intelligence in scripts than proving intelligence in humans.
For example just use a simple honeypot in a html form. Put a dummy input field in a form. You can hide the field with CSS/noscript tag or just mark it: "This field should be left intentionally blank" or something of that nature to make it more human friendly.
Seeing that all form fields are generally blank, the spambot/script will fill your dummy field. On server side check if the field has data, ignore the submission. It would be a VERY intelligent script that could COMPREHEND the purpose of any particular html input field.
my anonymous 2c
Where on earth will they generate all these images of cats and dogs? If they use the same images over and over in a test, it will be very easy for a program to do. The only way would be to have many, many pictures of cats and dogs, ideally with each image being unique. Exactly how will they generate these images?
um... I don't know where you've been registering,
/. does with it's not-logged-in captcha
I don't know,b ut with a subject like:
I like what
Maybe slashdot?
Log out, try post AC in reply to an article or post.
Notice the captcha?
use http://www.bugmenot.com./
Consolidate all these little snippets of our life (Keylogging over a period of time) and I'm sure that you could build a profile of my life that is more complete than any federal database in existance.
I'm actually considering inventing a 'Password doppleganger' with a fake address, mother's maiden name, last 4 digits of my SSN, first 3 digits of my SSN, Zip code, billing address, shipping address, dog's name, cat's name, place of birth, date of birth, favorite color, first street address, favorite car, favorite password.
Because all of these sites and companies use different 'snapshots' of our personal data to identify us, I'm pretty sure that they have overlapped 100% of the information necessary to perform a perfect identity theft.
Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
+5 Funny in 7min 15sec AND frost pist! /.
Come to think of it - its great to see fp without some sort of script bollocks - welcome back to
Mongrel News all the news that fits and froths
One day, everybody will have a digital ID. You know, the kind used to digitally sign e-mail. If you had to digitally sign your request to create an account with a certificate issued from a trusted CA, then using a bot creates the potential of the user having his digital certificate revoked.
With the likes of BugMeNot.com, which people can use to distribute usernames and passwords for websites, there is little incentive to collectively continuously register. Look at how many websites are eating us and desperately trying to hold our attention to feed them users. Maybe there is another model, one better than subscription-based?
I was on a site this weekend (I'd link to it if I could remember) where the author of the blog had several images of himself in various poses and facial expressions. To post a comment, the captcha "puzzle" required you to click on x out of 9 thumbnails that matched the questions: "angry Bob" (image of Bob filled with rage), "happy Bob" (big shit-eating grin), "flying Bob" (arms spread out like wings) etc.
It seems surprisingly effective, although I can't say I know much about the state of OCR technology right now and if/how this could be defeated.
body massage!
Fark forums, with text captions helpfully photoshopped at random.
XML is like violence. If it doesn't solve the problem, use more.
Right now this is a cat and mouse game. I've come across captchas that I cannot do. However, in 2020 computers are supposed to be as smart as a human. So, when that happens, how can we then differentiate between them?
examples are here (under Guidelines > Accessibility) and here
Mongrel News all the news that fits and froths
My father is partially sighted. He has enough trouble reading the actual page (try navigating around advertising with a very limited field of view). Captchas just lock him out of the site.
Instead of asking use to recognize visual things, why not use sentences, like questions, to which only humans could correctly reply, like, for example, What's yellow and dangerous?
Seriously, only limiting captchas to recognizing something in an image makes it pretty limited, they might wanna try asking questions to the user, if they haven't tried that yet.
You just got troll'd!
http://video.google.com/videoplay?docid=-824646398 0976635143&q=tech+talks+human+computing
I've noticed lately that a lot of web sites apply the banhammer rawther quickly to accounts listed on bugmenot.
An image comes up, for example a dog and then there are multiple choice check boxes with only one of them being right. Each checkbox should also have an image instead of text, ie match the checkbox image to the main image (with the dog you would make it two different types of dog).
Accessibility is the issue, but you could have the images pronounce the word when clicked.
Half of the sites that require registration are supposed to send an e-mail to finalize the process. I have had three or four of these that show me as a registered user and all, but I can't get full access because I never receive the *&#@ e-mail confirmation.
I can even go in and ask for it to be re-sent and it assures me this has happened but still no e-mail reaches me. I don't know if these mysterious missives are being devoured by overly gung-ho spam catchers along the route or what, but it's danged frustrating.
Between ever-better computer image recognition algorithms and cheap offshore labor, captchas are doomed. Morevoer, captcha's don't even solve the actual problem because the goal isn't to distinguish human from nonhuman, but to distinguish spammer from nonspammer. This means we need some mechanism to identify a registrant and be aware of their behavior.
Why don't sites band together, share data on abusive registrants, and require each new registrant to provide "references" in the form of their logins to 3-5 other sites. A person with a normal online life could easily demonstrate a pattern of nonspammy behavior. People with no prior history might be placed on probation (their posts are reviewed and may not contain any link-like data). If a registrant posts spam they temporarily (or permanently) lose their accounts on that site and all connected sites.
At some point in time, the only thing that will work is a system that tracks the identity behind the account, assigns a reputation and ostracizes miscreants.
Two wrongs don't make a right, but three lefts do.
I read some time ago about a guy who wanted to spam a large ISP (Can't recall the company), so he created a porn site, botted the ISP and scraped the capchas, putting them on his porn site where a good old human was waiting to do the work for him. Seems porn can power anything.
Yeah, one day we'll all have digital ID's on microchips implanted in our bodies and we won't be able to buy or sell anything without them.
I think that he was just going for the +1 funny ...
Perhaps captcha bots will evolve into the first programs to pass the Turing Test?
i had something i wanted to post a reply on slashdot last week. But i couldn't read the captcha nor could i get a new one to try to post my reply.... i hate them....
slashdot's captchas can be just as bad...
... if they would just drop the stupid login requirement for reading articles. I can understand needing it to post a comment. But it should be entirely voluntary for reading. Maybe their reporter should be doing a story on this silliness that seems to be rampant among a lot of major newspapers.
now we need to go OSS in diesel cars
Spam-registration-bots are reading captchas far too well. I gave up on them on a site I admin. A more feasible solution is to have a registration code that they have to enter that is present on some other part of the site or have them answer a question like 'how many beers are left in six pack if you drink two of them'. Humans can, in general, understand this question and answer it correctly far more easily than a registration-bot.
-X
...is the level of overlap between the most capable computer programs, and the least capable people. Make the problem difficult enough for computers and you'll end up keeping out a number of real humans, either by requiring some specific sense (sight / hearing) that some people lack, or by requiring intelligence that some people lack.
Replace the mangled-text-and-response captcha with a skill test, like punch-the-monkey. Maybe I could win an iPod while I'm at it.
Unrelated question....how do you validate the captcha if you are browsing with lynx?
Mod self -1,weird-mood-on-a-monday
Why, oh why, didn't I take the Blue Pill?
There are a number of companies with interesting captchas you might want to look at http://cacheyourcash.blogspot.com/2007/05/annoying -captchas.html
The co-evolution of the outsourced Indian worker being paid $1-$2 per hour to solve hundreds of catchpas per hour. Not to mentions various porn sites and warez sites where you have to solve a catchpa to get in, it just happens to be someone else's catchpa. You want a catchpa for someplace like a bank to work? Simple, get the person to input something that was chosen off site and the would know. At best though it would still be security through obscurity and flawed. Catchpas are fundamentally flawed, and as such are doomed to the dustbin of history like so many other things. Remember spam is a large business, if they have to outsource grunt labor (catchpa's), they'll do it. All you've done is add an inconvenience that solves nothing.
Deleted
...is there a feasible alternative to the captcha...?
"Describe in single words, only the good things that come into your mind. About your mother."
nah, it's just early and I haven't finished my morning pot of coffee yet... can't read right now...
~/.sig: No such file or directory
This is just to mention, on my Wordpress (free) installation there is a (free) plugin named Akismet that apparently is a very efficient collaborative filter service to remove comment filling attempts by bots.
I really don't know how it works, but it works perfectly well.
Every now and then I log into my site and check the suspicious, "on hold" attempts: 100% are bot-generated...
H.
Herve S.
You know, "One of these things is not like the other, one of these things is not quite the same.", then show pictures of things with one different. Maybe a difference in concept, like for example, outlines of 4 birds, one flying three not. Which is the odd one out.
Task Mangler
There are somethings that I hate with a passion. Whenver I run into one of these (even the easier ones) these get into my top ten things I really wish the person that designed them has to spend time in a special hell filling out every one of these things successfully before they are allowed into heaven.
No reason why Captcha authentication can't be fun or interesting. Best one I've seen so far is kitten captcha. Complex pattern recognization is easy for people but hard for pooters. So just ask, "is this a kitten or a puppy?" and you're done. The only down side is updating the pics, but there are some ingenious solutions for that as well... Posted about it on my blog: http://youredoingitwrong.mee.nu/kitteh_auth
You're doing it wrong--http://youredoingitwrong.mee.nu
Like it or not, these are "marketers." And just because they use less scrupulous methods than some other "main stream" marketers are tempted to use, don't let that fool you into thinking they are a different breed or species. I once worked for an alternative news weekly and it was all we could do to stop the sales people from "email blitzing." Prior to that, great pains were taken to ensure that they didn't ignore the "Do Not Call" list. They all smell money and they don't care what they have to do, who they have to annoy, injure or insult, in order to get it.
What prevents these more public marketers? Well, there's the fact that they are in the public light for starters. For another, there's plenty of regulation in place.
I think when it comes to advertising on the internet, it's time to move away from our "wild west" mentality and get these cockroaches into the light.
I haven't a clue how it should be done without sacrificing many of the better aspects of the internet we enjoy today, but there's no forcing commerce out of the internet. But if I were cornered into offering a suggestion, I would have to say that getting the IRS involved and taxing advertising might be an approach that would work out nicely.
How abouting using somethign that the brain perceives differently to what is actually measurably there, for example, optical illusions using colour.
n s/illusions.htm
There are some classic optical illusions where the brain percieves a different colour to the one that is actually there, because of backgrounds and other visual clues in the image. an automated program that simply measured the value would give a different answer to the human one.
e.g the colour perception ones here http://www.echalk.co.uk/amusements/OpticalIllusio
but of course as long as people are being tricked into answering captchas for the spammers there will never be a way around it.
How about a lineup of 8 faces in profile, to be matched with 1 head-on shot. Human must succeed at n out of m consecutive lineups (adjustable parameters). Pictures to be collected from old police archives.
Me and my friend Arnie Voight are working on a foolproof test for that right now, should be ready in about 12 years.
Bill Kampff.
Someone probably said this, but I'll say it again....
DON'T ASK FOR REGISTRATION when people are just looking.
Most sites and their content aren't worth the time it takes to register.
YOUR'S is worthy, of course. I'm talking about all those other guys.
I don't want to change anything, I don't want to say anything, I just want to look. Why the hell should I register on your site, to look at your review of ***, when I can look at a hundred other sites that have the exact same review of the exact same thing.
-I can understand registering to look at scholarly journals. I can't understand registering to look at a review of a year old game.
-I can maybe understand registering to look at NYT articles. I can't understand registering to look at reprints of AP reports.
Anyone think http://research.microsoft.com/asirra/ looks faintly reminiscent of http://www.kittenauth.com/?
I bet you can create a flash-based solution with some animation. That oughta be plenty hard to decipher for those bots!
Stop the brainwash
So the article says captcha stands for "Completely Automated Public Turing test to tell Computers and Humans Apart". The Turing test is about whether a human could discern a computer from a human. The "captcha" problem is coming up with a test that will allow a computer to discern a computer from a human, and that's an entirely different story. Maybe instead of pictures of text, we should use pictures of objects, animals, public figures etc. That is still very hard for computers to do. They'd almost have a build a database of all the pictures themselves to crack it, and you could continually add or change out the pictures in your database.
Prov 9:8 Do not rebuke mockers or they will hate you; rebuke the wise and they will love you.
I bet you just discovered a new alternative to evolution and intelligent design. I propose we call it "Unintelligent Design".
Now, we can approach school boards and looby for that theory to have the same exposition at classes as the other 2 older ones. That will increase children's capacity of dealing with the surrounding environment, and increase results at tests designed with the latest knowledge in mind.
Rethinking email
It seems like spambots are already successfully defeated by Slashdot's captcha, so it's time to take on the next step - Idiots!
Something like this should do the trick...
Why, oh why, didn't I take the Blue Pill?
What about using browser recognition and some JavaScript with normal Captcha fallback (if browser is recognized and JavaScript runs correctly the Captcha-image is not displayed). Or instead of JavaScript maybe we could use some Flash (or even Silverlight) to do this kind of validation. Of course this isn't bulletproof (it depends on how the form posting bot is implemented - whether it has javascript-/flash-engine and how it can mimic the BOM for example). This way we would not need captchas to be shown to most users but users without JavaScript/Flash will fallback to normal Captcha. But then again, this is easily worked around by "the bad people". Maybe we should just use the same methods that we are using to fight spam: baynesian filtering.
They ask you to identify 8 numbers that are spoken.
I tried it twice and could only identify 6 numbers on each occasion.
thank God the internet isn't a human right.
Setup webcams in pet shops and stream live puppy/kitten pictures to the world
Bigtime Consulting - "We're the best because we cost the most"
and don't forget that that digital ID will be used hidden in any digital content you buy so that any copies you make can be traced back to you.
thank God the internet isn't a human right.
You can defeat any captcha by having your bot download it from the site to compromise, turn around and serve it to a user browsing a different site you control, then relay the solution back to the original page. You don't even need to pay the users.
Shamus Young (the creator of the "DM of the Rings") recently introduced a captcha on his site to deal with comment spam. In his post about using a captcha on his site, he notes that:
Emphasis mine. He's running a fairly popular site, and using a captcha based off of a single, unchanging, three-character phrase. Just the presence of the captcha was enough to effectively eliminate his spam problem. The indication seems to be that just the presence of a captcha is enough to keep spam off of even a moderately popular site.
"Great men are not always wise: neither do the aged understand judgement." Job 32:9
Perhaps if more sites embraced OpenID...
1) I wouldn't have to register at confirm at 40,000 different websites
2) They wouldn't have to screw around with scripts & captcha's
Funny you mention that, I had an idea to do Turing Tests as captchas a while back (I called it Jury Captcha since you're judged by your peers). There are some obvious problems with it (like not being able to control the possibly objectionable content, and needing people to be active on the site before you can post), but if you want a simple way to determine if someone's human, it's better to have humans do it than a computer. Here's a copy/paste of the stream of conciousness I had on it:
I just thought of a strange idea for a captcha: IM/BB based. On a well-traversed site, you could have old-fashioned community Turing tests off to the side, and when Randomly assigned user number X at [hidden] IP gets a thumbs up, the user can make a post anonymously
Hey, another idea: if you could build a trustworthy name for your site, you could handle requests for other sites... so multiple sites could have a common IM captcha, thus increasing the body-count for testing. Still some possibilties for abuse...
even if you randomly pair the conversations, and require multiple thumbs-up, you could have bots giving each other thumbs-up
random three-four way conversations that are randomly meta-moderated? minimum two votes to kick for objectionable content in chat (abusable...)
> Just the presence of the captcha was enough to > effectively eliminate his spam problem. Custom solutions tend to work. At least for some time. For popular OSS project this is usually not an option and not all users of the popular OSS software are capable or willing to write a custom solution.
There is a very funny prototype Captcha I've seen on the net. They take the photo's from "hot or not" and put them in a 3X3 grid and ask the user to pick the hot ones. The other most effective one is a 3X3 grid asking the user to tell the difference between different furry animals. Computer vision is way behind when it comes to figuring out fuzzy things.
Damm is he good - I pass once every four times.
Is it a 0 or an O or prehaps a Q.
Is it a 1 or an I or prehaps a l.
Is it a s or a S or prehaps a 5.
I damm well hate those bastards.
Martin
I saw many sites with "captchas" involving choosing which of two pics contains a gorilla, laughed like hell since although those are very easy to people they are also meaningless to bots, if a bot got a 0.5% chance to pass a captcha it is not a good captcha...
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
The goal of CAPTCHAs in most situations is to make the business of using a bot not cost effective.
You can do this by slowing the bots down, and not stopping them entirely.
Humans will wait 30s to enter a site they should be going to, this is death to bot operators (even with large botnets). Like what hashcash does for anti-spam.
An example, is here to protect email addresses.
Yes, you could write a cleaver tool to do the math in compiled C and not JavaScript, but the cost is still there.
Captcha's didn't evolve. There were put here 3,000 years ago by God when he made the Earth. Any evidence to the contrary was put there by God to fool you. Get with it.
Your suggestion - which is also mentioned in the original article - turns the captcha into an language test - are you human and speak english (well)?
Yes most people will know what a cat and dog is in english - but it won't stop there - how long until diffcult english terms are used because bot's (brute force) crack the (few) simple tests?
Since 99% of all Flash is advertising I am not interested in I have Flash deinstalled or deactivated.
Martin
If you're going to be making your users validate anyway, why not just have them validate the comment/post instead of forcing a conversation upon them. JimFive
Please stop using the word theory when you mean hypothesis.
Good point; didn't think about that. Otherwise, the Turing Test would become the SPAM-field. Oh well, back to the drawering board.
you are not alone!
What is worse is all those brain dead postings of viagra and other crap the amoral idiots insist on spamming us with.
Shooting spammers should be legal.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
the captcha is not a puzzle. it's a human check.
the reason we can't solve them anymore is because of the wild and varying fonts used by some paranoid webmasters.
They're using their grammar skills there.
I saw a site the other day that used a captcha.... except it was (when I visited) just a picture of a dog. Underneath it it said, "what is this?" and had a text field to type in what it was.
I typed in "dog" hit submit and it worked. I signed out, went back to the sign up page and got a picture of a lexus. I typed in "lexus" and it worked. I was curious if it would have worked if I typed in the actual model, or "car" or "sedan." So I refreshed the page continually through about 200 picture and I never got back to the Lexus, but I did get back to the dog. So this time I typed in "greyhound" and it worked.
To me that seemed like a cool captcha, its so open ended and seems to be extremely difficult (given enough images) for a machine to know what to say, but accepts enough "correct" answers that a person should have no problem.
crap.
Simple thing for handling these bots- they're all working on the idea that you're activating something some button that's labeled 'submit' or something similar, right? So don't do that.
I've seen sites where they have two links- one's hidden in the disclaimer, the other one's obvious. Click the obvious 'Yes I agree' link, and you get dumped to a page explaining how you obviously didn't read. Read the disclaimer and it explains the correct link is hidden.
So set up the submission form like that. Most, if not all, have some variant on the 'yes I agree to these terms' checkbox. Set up a 'I am a spambot, and you can delete this piece of crap application' checkbox.
If you click the box, it takes you to a standard 'Thank you,' page, which cheerfully announces your application has been put in the circular filing cabinet and will be ignored promptly. Don't click the box, you get the normal success screen.
Yes, everybody'd have to do some sort of 'gotcha' like this individually, otherwise the bots would get reprogrammed and catch it. But that's just life.
If you can't figure out the captcha, and you don't have a friend willing to help, then you are both:
1. dumb (bad) or blind (sorry)
2. unfriendly, hostile, anti-social, etc.
All smart people with good eyes pass. All friendly people pass.
If you are neither smart nor friendly... gee, our loss, huh? So sad, we'll miss you!!!
Are you aware that the T in captcha stands for turing?
Ok, So at the bottom of the form you have a flash box that has a pic of Parasite Hilton moving back and forth across the screen. Your cursor is a set of crosshairs. The message is "shoot the parasite 3 times to sign up.
There are many possible variations:
Punch George Bush
Swat the fly.
Whack the mole
George vs. Bin Ladin
Hilary vs. Obama
Hilary vs. Guliani (sp)
you get the picture.
Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
If you read Shamus' blog post, he's not using a custom solution - he's using a standard Wordpress plugin that is configured to only offer up a single captcha phrase. Presumably, if he were to run into issues with using just the single phrase, he could update his configuration to use additional captcha phrases, without having to do any custom development.
"Great men are not always wise: neither do the aged understand judgement." Job 32:9
Slashdot uses them, which means that I can no longer post when using a text-based browser (links, etc). Yes, I realize it is outdated, but as a supposed geek site one would assume that they might have thought about the implications for those that use the "good ol ways" to get online.
http://imagespar.com/view.php?img=9b170467ca20cf4e 8d63903db87051b0
Why not just switch to something like OpenID for all registrations. Let the OpenID system figure out bot or not. And if someone abuses the ID, it gets turned off and they lose access to everything.
The above is not worth reading.
Try kittenauth!
Speak truth to power.
I consider myself to have pretty good eyesight and i get about 50% of captchas wrong The point of a captcha is to ask something that is trivial for a human being and dificult for a computer. Rather than using the often very difcult to read "swirly text on a swirly background" images that are so common go down a different path. Show photos of peoples faces, 1 woman then rest men and ask the user to pick the female. Some photos of amnimals, pick the cat/elephant/parrot/gerbil etc. Some photos of people with different exagerated facial expressions, pick the angry/sad/happy person. Some care would be needed in picking the images but once the initial work is done it is much easier for a user to recognise which one of a series of faces is female than it is to work out what word that swirly squiggle is suposed to be.
I once spent some mental energy thinking of better captchas; such as male/female recognition, picking people out of crowds, etc. Things that would be tremendously difficult for a computer but relatively easy for a human. But then I came across a captcha cracking method that pretty much sealed their fate. Though they still may help some sites where there isn't much motivation to break through, I think they're more or less dead for sites under serious attack.
I read about a method of captcha breaking that ends the arms race: real humans. Specifically, a porn site that lets you view a free picture for each captcha. Then you've got the motivation for actual people to use their advanced organic hardware at distributed captcha cracking -- sort of a human porn-bot-net.
Ingenious, but it kind of killed my hopes of building a better captcha.
Mechanical Turk
My personal belief is that nowadays coders are just too bored to create any new kind of captcha's...
Just thinking about it, I can think of some new ways to make it pretty hard...
The greatest way spammers found to keep spamming, was to have humans (e.g. the guy seeking his free porn) enter the captcha, the bot gets the value back, and manages to subscribe/create an account/login/post... Now, how could you stop things like that ?
"(Some image) some text (another image) and yet some text again"
The user would then need to type the whole sentence, and not just the word...
Also, if you already have javascript on your website, just put some hidden input in the form, which value would be changed by javascript, you can put any kind of algorithm here, be it some ajax or whatever, just change it dynamically, if it doesn't work, either it's a spammer, or it's someone who doesn't see/uses your website at optimal power anyway... Bots don't support javascript all too well...
Another thing would be to show captcha's as part of the design, and not some img src='captacha.php?id=0937409283' which is a dead giveaway... Like I said earlier (see above), having one part of the sentence shown using a regular image, and the other using CSS or whatever banner.jpg that gets processed through PHP, sure it won't be CPU safe, but it'll get you there...
Suuuuure, like someone said earlier, they will always be able to crack down any method you put up, if they really want to get to your website and spam it down, they'll get there...
It's just a matter of coding the right bot...
But for long shot bots, I'll be damned if they get through that kind of things...
So rather than put the burden of proof on humans to prove they're not a machine, put the burden of proof on the machines to prove they're a human?
Take your average HTML form:
Rather than have 1 textbox for a field value, have 10. UserName1, UserName2, UserName3, etc.
Use javascript to randomly assign one of them as visible. The rest are hidden from the user.
On the server, watch to see which textbox is filled. Presumably, with decent enough javascript skills, and stupid enough bots, your humans will fill out what they see, which is the correct combination. The bots won't.
Granted, this method can be defeated if the bot checks for field level visibility after the page finishes loading, but even then, with decent enough javascript, you can continue to provide unobtrusive checks to ensure that your user is real -- e.g., unless the bot is running a macro through a web browser itself, your onblur events probably won't be tripped. And so on.
This puts a burden on the developers to come up with clever ways of defeating the bots, but in reality, that's where the battle is -- html application devs. vs spambot devs. Users shouldn't have to be dragged into the middle.
Yes CAPTCHA is a pain but it is here to stay till we find a cure for SPAM
Chris ,
Php Programmers.
I tried implementing my own system for a soon to be operational website where the user has to interact with the page before generating a random word and then being asked to enter the nth letter of that word.
It was a choice between using Javascript to get the user to interact with the page (potentially tis can be done in an applet or flash as well) and then generating a random question, or the standard image captcha which I hate.
It isn't foolproof, but it can be beefed up with some server side stuff, at which point I'd stick it on sourceforge. I also figured that variety is the spice of life for defeating captcha robots. This system would be easy to rename things randomly/obfuscate the javascript. Obviously it then only works if javascript is enabled, which may not float your boat.
Professor Karmadillo Songs of Science
We're using it on our animation forum - can't guess the title the animation is from, you're not getting in. Stops most human-paid captcha solving because most of those people don't watch animations as heavily as we do, and they're getting paid to break WORDS and NUMBERS, not an animated short from some film they have no clue about.
To bypass this, the human side will HAVE to get smarter - not likely considering those in the business probably don't watch cartoons or anime very often, considering the origin of half of these spam/phishing attacks.
I've recommended this to "Tom" of MySpace and he says it's not feasible due to the human intervention factor - our forums have been spam free for about four months, now. Spam emails from the ISP I was subcontracting for dropped 70% with that idea. Doesn't work, huh?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
This is somewhat related, since it involves fooling automated programs: I encoded my real email address into an autostereogram (you know, those "Magic Eye" puzzles) to prevent it from being harvested by bots.
Modern copyright is theft of culture from everyone and it retards the progress of the useful arts and sciences.
AFAIK this technique was pioneered by Jeff Atwood with his "ORANGE" captcha.
What I find interesting is that this methodology has really driven pattern and character recognition. To the point that humans find it difficult to decipher almost as much as the 'bots do.
I think rather than words, start issuing picto-graphs "circle, square, rectangle, triangle..." and then once those can be figured out by bots up the anti "dog, cow, mountain, house....". These will eventually be able to be read by bots as well. Then start using photos.
Image recognition has been a slowly developing field. What better way to kick-start it than to make it a challenge to thousands of script-kiddies?
-CF
Sorry everyone, but this problem has already been solved.
http://www.phpbb.com/community/viewtopic.php?t=472 940
On http://www.saveirelandbaldwin.org/ a sample question is:
Mary had a little _ _ _ _.
Obviously this question would be limited to those with a knowledge of Western culture and nursery rhymes but that's easier for me than culling the bot accounts.
On another site a sample question is:
2 x 3 = _ ?
I'm unaware of a limit to the number of questions that you can input. They appear to cycle sequentially.
This won't prevent humans from creating accounts but has so far stopped 100% of the bots.
JAGga.me ----> Producing video games addressing emotional health and wellness issues affecting teens.
Isn't there a creationist captchas museum opening soon?
What ever happened to email validation?
What if the user is signing up to get an email address, and isn't able to/willing to supply another?
Part of the reason email validation is falling by the wayside is that in these days of spam, users do not trust a new site enough to keep their email address out of the hands of spammers. You may eliminate 100% of your spam, but you might just eliminate (or severely reduce) the number of new users who are real human beings. Furthermore, too many phishing schemes have made many people a bit paranoid about clicking on links--if they were burned by the scam once they might want to be sure the forum isn't a front for phishers to collect personal info.
The other issue is that email validation can be defeated too if it is not carefully crafted. If email validation makes a resurgence then spammers will direct their efforts to that technique as well--first, by scanning for links to follow for validation (easy to look for the A tag, or http-something), then if the email is altered to show a bitmap and instructions to type the link manually you get into the same cat-and-mouse game we already have with captchas. To catch email scanners you might even have to use a captcha on your verification page! So, in the end you've just made it more annoying to sign up for your site.
Ultimately, your other approaches are going to be the only workable solution--checking referrers, blocking of known spam clients, applying email-spam heuristics to your blog/discussion posts and so on. This, of course, will have to be used alongside captchas as a front-line defense. Personally, I don't mind the use of simple quizzes, word puzzles, etc. over the traditional try-to-squint-and-see-the-gibberish method. Not only does it filter out spammers, it could also be used as a stupidity-filter which might improve the quality of discussion on many forums.
To know there are people out there right now, browsing their favorite blog about fuzzy kittens, reading a comment that says "V!@gra ch3ap!" and thinking to themselves "Well hell, I've been meaning to stock up!"
It boggles the mind.
--
Can you watch my sig while I step out for a sec? Make sure no one steals it.
Experience teaches only the teachable. -AH
You're still fucking over those of us who may not be using javascript for security purposes or whatever else. There's no good reason to force me to allow client side scripting just to read a damn forum.
Give me Classic Slashdot or give me death!
Why is it that my spamfilter has big difficulty detecting clearly readable images with stock messages yet they can't find a good captcha. I'd say spend some more time reading your viagra offers.
I used to get quite a few clearly readable images which where split randomly in smaller images and put back together as a whole. Also these images where animated gif files which once every 10 seconds shortly blink to make the image file more complex to simply analyse.
What if you take a simple captcha, split the image into smaller images, take the actually cross browser working parts of the Acid2 test and render an image that way.
This could probably still be solved by running a recent browser, opening the page, waiting for it to be rendered, then taking a screendump and running the captcha software but doing so will at least slow people down a lot while users with a recent browser don't notice a single thing.
My freeware games
As simple alternative to a Captcha, sites could employ a randomly generated password string (alpha and/or numeric) in conjunction with a randomizing virtual keyboard.
When a user is presented with a clear text password (either in an image or plain text) he or she would simply have to click on the corresponding virtual keys, which would then transmit the coordinates of the click to the host as a means of verification.
Successful attacks against virtual keyboard systems have involved the attacker logging the input value (password / PIN) for reuse. However, in a Captcha scenario, if random pass strings are combined with random keyboard layout, logging input value would would not benefit the attacker since he or she would not be able to predict when, if ever, the the pass string might be reused.
How did this thread get stolen by athiests and fundamentalists???
I employ a couple of different open source CAPTCHA modules on different sites, and both of them have significant settings tweaks in fonts, backgrounds, polygons, text angles, length of strings used, characters used, shading used etc etc. I tweak each one and test until a balance between solvability and readability is reached. I usually use different settings for each form... and balance them out so that I can solve them, but they aren't plain to read.
I do see CAPTCHA modules all of the time (Ebay is a prominent example) that have settings so dialed up that I often get the CAPTCHA code wrong.
Establish metrics. If your CAPTCHA instances are not correctly identified more than 10% of the time, you probably have problems with your settings being too complicated for the average user to identify. If you have a failure rate less than 1% of the time I would say your CAPTCHA might be too simple.
I am of the belief that there is nothing wrong with CAPTCHA when attention is paid to setting the scheme up properly. It is a reasonably simple method and barrier to unwanted SPAM and automation scripts.
Oh... what happened? Did your parents lose a bet with God?
I built a program I call SpamTax that sits on my blog. It requires the poster's computer to work a series of rotating 1-way hashes and reply with the correct values before any post is accepted. It takes about 30 seconds for most PCs to work and users really haven't noticed (well, I no longer get aolv("ME2!!!!"), but I don't miss those).
A comment spammer can drop about 100 posts a second, so I change the profit model if I can grab 100% spambot CPU for 30 seconds. It is now easier to skip my blog in favor of 3,000 other posts in the same interval.
Any suggestions on where I should post the source code? It is PHP and JavaScript and fairly modular.
Just had an idea, so I'm sure that there are probably some holes in this, but here goes.
You said to put the burden on the machine, not the human. So why not just have a (relatively) complex question that could either be done by javascript or something similar. Mathematical questions would be ideal. Anyway, the correct answer has to be put in and the question would be easily available/readable. I know that computational power will continue to become cheaper, but the questions could continue to be harder as well.
Anyway, the premise would be that the computation would cost (processing time) and would therefore make the act of spamming not cost effective. I don't know if this would even be possible, but what if the question could have a positive benefit as well, say Folding@Home. So if part of the folding algorithm could be implemented in JavaScript, then before submitting an AJAX request would be made to get some data that had to be processed along with the submission. I know, I know. How would we know if it processed the data correctly? Anyway, it was just an idea to get the thoughts rolling.
When I have a kid, I want to put him in one of those strollers for twins and then run around the mall looking frantic.
Link spam is very easy to filter-out, because spammers have to use links and unobfuscated keywords, otherwise spam won't benefit them. And there are additional methods which can be used like observing odd "browsing" patterns, poor quality of HTTP/HTML implementations. Good'ol blacklists work too.
There are services that successfully implement content-filtering, like Akismet and (mine!) Sblam, which has accuracy over 99.85%.
If you take into account "false positives" CAPTCHA causes by blocking disabled users or just discouraging posting, content-based filtering may be more effective than any "bulletproof" CAPTCHA.
Captchas are annoying, but systems like Kittenauth are easy for humans to answer while defeating bots. If you have the user perform a task like "Click two pictures of kittens" it's very difficult for a bot to do this.
Personally I just keep it simple on my site, I have a box that says "Please type 'I am a human.'" into the box below. If that input field is empty or doesn't match then you know it was submitted by a bot.
Is that the "solution" offered by that Ukrainian company only work on the simplest, dumbest, captcha. There are very good text-based captchas where the success rate of automated programs is, well, 0 %. Nada. Zilch. Zero. I'm particularly thinking of these nice "text written in 3D" captcha that are very easy to read by humans and, at this point, impossible to read by any programs.
/. to post this as an AC) but there are also many very interesting ones that are still "text", yet they're impossible to detect programmatically. Solving such captchas programmatically would be a major AI discovery. We're not there yet.
The fact that this company is breaking lame text captchas doesn't mean that all text captchas are lame.
A great many do indeed look very lame (like, say, the one I've got to enter now on
Note that I'm not saying there aren't other ways to break captchas: "free access to pr0n if you solve this...", cheap labor, etc. I'm simply saying that the fact is that, today, there are text-based captchas that are very legible and very easily read by humans while they're impossible to read by computers.
As a sidenote, seen the problem captcha try to solve and the split second it takes to answer one, I don't understand why so many clueless people keep bitchin' "omfg captchas are hard".
The 5/s/z similarity problem is easily solved by simply not using letters too similar and/or allowing one mistake per word. For example entering "nobrain5" will do it if "nobrains" was expected. This has the added benefit of also catching typos. All this is old knowledge for anyone involved in programming captchas.
You know, the kind used to digitally sign e-mail.
No. I don't know. I have no idea what you are talking about and I've been using e-mail since 1992. I've also setup and run my own simple pop3/smtp server back in the day.
I have no idea what a digital ID is and I have never, let me repeat, never seen one on an e-mail. Don't get me wrong, I've seen proprietary systems that do digital signing of somekind but I am not aware of anykind of large scale uptake by the general population
That kinda makes me think its a non-starter...
This can be at least partly mitigated by labeling the bogus fields such that a human can easily identify them as bogus. Heck, you could defeat a number of spambots without JavaScript, just by including a single text field with a randomly-generated name and the label "leave this blank". (Or, for 1-to-10 satisfaction surveys, a single line somewhere in the middle with the label "select 7 for this one"; this lets you identify people who weren't actually reading the questions, and adjust their weighting as you see fit.)
ln 2
You could use your realID card. It would require an embedded microprocessor (smartcard) and a USB smartcard reader. The website would send you a random number as a challenge, it would be passed through to the smartcard, encrypted with your secret key, then sent back to the website. It would then be passed back to a central government database (along with your claimed identity from the card, the website would send the random number to the database itself) and used to look up your identity to verify that you are a person and not a script. People using their cards to enable the operation of scripts will have their keys revoked.
It is NOT meant for a very high end, extremely secure kind of captcha, but it does reduce the hassle for the end user because the original word is also given. So the letters of the original word act as clues for the mangled characters in the captcha -- thus helping people like me who can get confused between "f" and "i" etc, if placed on an inappropriate colored background
Well, you can read all about it here: http://www.syncspace.com/go/Capteacher
I was told by a friend, that using an input of CSS { display: none; } would do something... I can reason the possible success with why would the bot need to read style? Now this hidden input is designed to stay empty, so if it's been added to (the name="name") then it cancels that form submission.
... because one bot I have found doesn't send their IP adress... so it cancels the form if user has no IP ...
:P
Also, I have a hidden input which checks whether the user has an ip
I have no idea whether they work.. just wondered
signature is pants
Well that plugin is not official out of the box Wordpress feature. It's a Peter's Custom Captcha. I consider it as a custom solution. If Peter's Custom Captcha is official WordPress out of the box feature and it's included in package and enabled by default, that would propably render it unusable after a while.
Is that like "Despite the fact that God created the Universe, people keep getting stupider"?
Bonus round times on 'classic' FEUD: 15/20 seconds (Dawson, Combs)
Bonus round times on 'New' FEUD: 20/25 seconds (Anderson, Karn, O'Hurley)
Case closed.
Slashdot CAPTCHA: contend - apt!
[1] newsflash - captchas usually are.
[2] you're clearly having trouble with this concept.
At the bottom of the