Slashdot Mirror
Evolution of the 'Captcha'
FireballX301 writes "The New York Times is running an article about the small word puzzles various sites use in order to defeat automated script registration while still letting humans through. It seems many people can't actually solve them anymore, so new alternatives (image recognition) are being created. This, of course, seems breakable as well — is there a feasible alternative to the captcha, or are we stuck jumping through more and more hoops to register at places?"
The other day I saw a system that posed the question:
'Germany is a country in Africa?'
Your duty to prove you were human was to change it to the proper continent and the question mark to a period. Seems pretty fool proof, especially if you combine it with things like "and make 'country' all capitals."
Nonsense. There are plenty of things humans are good at that computers are rubbish at. How about displaying four photographs with the question "which image contains a bottle?"
have a random or semi random set of field names, with an associated "key" field. Use the key field to retrieve the field names of interest. Also have a "name" and "password" field set up so they are invisible to a normal user.
Block any IP submitting a non-blank "name" or "password" field.
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
With the likes of BugMeNot.com, which people can use to distribute usernames and passwords for websites, there is little incentive to collectively continuously register. Look at how many websites are eating us and desperately trying to hold our attention to feed them users. Maybe there is another model, one better than subscription-based?
Between ever-better computer image recognition algorithms and cheap offshore labor, captchas are doomed. Morevoer, captcha's don't even solve the actual problem because the goal isn't to distinguish human from nonhuman, but to distinguish spammer from nonspammer. This means we need some mechanism to identify a registrant and be aware of their behavior.
Why don't sites band together, share data on abusive registrants, and require each new registrant to provide "references" in the form of their logins to 3-5 other sites. A person with a normal online life could easily demonstrate a pattern of nonspammy behavior. People with no prior history might be placed on probation (their posts are reviewed and may not contain any link-like data). If a registrant posts spam they temporarily (or permanently) lose their accounts on that site and all connected sites.
At some point in time, the only thing that will work is a system that tracks the identity behind the account, assigns a reputation and ostracizes miscreants.
Two wrongs don't make a right, but three lefts do.
I thought I could avoid using Captcha's by simply request the user type in their IP address that I showed in at the bottom of the screen. I know that bot can easily get the IP address too...I was thinking that my request was vague enough that the bot wouldn't understand the question. My guess is that the bot didn't understand the question and reported the error to its writer. The writer must have explored my website, found the source of the error and then added a subroutine to deal with my question.
This is really annoying...not damaging, just a big pain in the butt. I could start blocking the IP addresses being used, but that would be in vain, knowing how many zombies are out there.
Get rid of the captcha by implementing the one verification scheme more annoying than a captcha! Good job!
Email validation requires people to give you something -- their email address -- that may consider more valuable that the ability to post on your forum. You'll lose all those people, who are probably rather more numerous than those who would be turned away by an annoying captcha.
In addition, email response is far more automatable than captchas. I am currently experimenting with an automated confirm-link-clicker script serving all email addresses at a domain. I'm sure I'm not the only person to have done this -- it really makes interacting with web forums about a million times more pleasant. Next step: A firefox extension...
Shamus Young (the creator of the "DM of the Rings") recently introduced a captcha on his site to deal with comment spam. In his post about using a captcha on his site, he notes that:
Emphasis mine. He's running a fairly popular site, and using a captcha based off of a single, unchanging, three-character phrase. Just the presence of the captcha was enough to effectively eliminate his spam problem. The indication seems to be that just the presence of a captcha is enough to keep spam off of even a moderately popular site.
"Great men are not always wise: neither do the aged understand judgement." Job 32:9
Heh, I remember once having to enter some cryptic captcha string into a text field at rapidshare or some nameless file hosting service. I think the problem with it was there was no discrimination between O and zero, or something to that extent. Anyway, the captcha sucked so much I misread it three times, in which the site replied with "You are a bot!" and shut me out of the system. Funny way of showing appreciation and respect to customers.
By the way - since I started typing on this subject - I run a couple of phpBB forums which get quite a few spambots even daily. I've found the best way to deal with them is just to write your own captcha, or an extra form input, requiring dynamic input (doesn't have to be text). Even if your captcha is incredibly weak, it's not likely to be broken because no spambot developer is going to bother cracking a captcha of just one website. Widespread captcha MODs tend to get broken more often so they aren't half as effective.
On my forum, I have a ten by five cell table filled with checkboxes, and a line of text that says "Please check ten of the checkboxes below", with the number changing on each pageload. The captcha only took me a couple of hours to code, and I haven't had a single spambot registration since I wrote it.
I saw a site the other day that used a captcha.... except it was (when I visited) just a picture of a dog. Underneath it it said, "what is this?" and had a text field to type in what it was.
I typed in "dog" hit submit and it worked. I signed out, went back to the sign up page and got a picture of a lexus. I typed in "lexus" and it worked. I was curious if it would have worked if I typed in the actual model, or "car" or "sedan." So I refreshed the page continually through about 200 picture and I never got back to the Lexus, but I did get back to the dog. So this time I typed in "greyhound" and it worked.
To me that seemed like a cool captcha, its so open ended and seems to be extremely difficult (given enough images) for a machine to know what to say, but accepts enough "correct" answers that a person should have no problem.
crap.
Quick question: Isn't a very easy way to do these captchas to redirect them to another site, so they're done by that sites users? Say for example you run a spamnet, and a popular forum. Each time someone on your forum tries to post something, you get your bot to go and get a captcha from someone elses site and serve it to the user on your forum. When they enter the code, that code is given to the bot to enter on the target site. Easy. For every post in your forum, you now get another paypal account, or spam post somewhere, or whatever you're after. Whatever technology you use, this is impossible to stop, because if you asked the user a question, the bot could simply redirect that question to a real user on another site.
My husband and I run a forum for homebuilt aircraft and we've already got bots doing this. We're using captchas at registration, an email activiation link AND we have to have a moderator personally approve every registration...... and we still have some spammers who get through. I'm really beginning to think that there is an army of them out there earning .01 per hour to actually read our site and create profiles that match our user base. Some of the spammers have gone as far as to create signature blocks stating which type of kit they are building and the tail number they've reserved from the FAA. The account gets approved and then we've got hundreds of V1@grA posts to clean up in the morning.
I read an advertisement recently -- apparently someone is collecting the URLs of web forum signup pages and then selling them to the botnets. I was thinking that maybe we could come up with a way of randomizing the signup page URL so that it would only work when the link is actually clicked on, but never got around to it. And let's be honest -- they'd figure that out too. *sigh*
--Insert catchy
So rather than put the burden of proof on humans to prove they're not a machine, put the burden of proof on the machines to prove they're a human?
Take your average HTML form:
Rather than have 1 textbox for a field value, have 10. UserName1, UserName2, UserName3, etc.
Use javascript to randomly assign one of them as visible. The rest are hidden from the user.
On the server, watch to see which textbox is filled. Presumably, with decent enough javascript skills, and stupid enough bots, your humans will fill out what they see, which is the correct combination. The bots won't.
Granted, this method can be defeated if the bot checks for field level visibility after the page finishes loading, but even then, with decent enough javascript, you can continue to provide unobtrusive checks to ensure that your user is real -- e.g., unless the bot is running a macro through a web browser itself, your onblur events probably won't be tripped. And so on.
This puts a burden on the developers to come up with clever ways of defeating the bots, but in reality, that's where the battle is -- html application devs. vs spambot devs. Users shouldn't have to be dragged into the middle.
I agree, which is why I wrote a framework for text based CAPTCHAs that allows web developers to combine their effort to counter spammers.
...
The goal of the framework is to provide mechanisms for securely presenting and validating answers to text based CAPTCHAs in a way that is easily customised, configured, monitored, and extended. A key feature of the system is a plugin enviroment that allows developers to easily add, configure and write plugins for the system. For each request the system chooses a random plugin to generate the CAPTCHA. Each plugin for the system as you say with time and effort can be countered. However every plugin implemented for the framework provides an additional permutations for spammers to counter.
So basically its a simplistic brute force approach, as long as there are more developers writing plugins for this framework than spammers coding against it, a site using the framework should relatively "safe" from attack.
But as you say, nothing is fool proof. I think that is certainly true for traditional image captchas. It's only a matter of time (and probably not that much of it) before spammers start using OCR to attack sites using image based CAPTCHAs and in the mean time there are millions of visually impaired people being unfairly denied access to content on the net.
P.S I've already posted this once on slashdot in reply to another story about CAPTCHAs only to be thorougly and completely flamed by those who felt compelled to do so. I guess I'm a sucker for punishment
Captchas are annoying, but systems like Kittenauth are easy for humans to answer while defeating bots. If you have the user perform a task like "Click two pictures of kittens" it's very difficult for a bot to do this.
Personally I just keep it simple on my site, I have a box that says "Please type 'I am a human.'" into the box below. If that input field is empty or doesn't match then you know it was submitted by a bot.
It is NOT meant for a very high end, extremely secure kind of captcha, but it does reduce the hassle for the end user because the original word is also given. So the letters of the original word act as clues for the mangled characters in the captcha -- thus helping people like me who can get confused between "f" and "i" etc, if placed on an inappropriate colored background
Well, you can read all about it here: http://www.syncspace.com/go/Capteacher