Slashdot Mirror
Evolution of the 'Captcha'
FireballX301 writes "The New York Times is running an article about the small word puzzles various sites use in order to defeat automated script registration while still letting humans through. It seems many people can't actually solve them anymore, so new alternatives (image recognition) are being created. This, of course, seems breakable as well — is there a feasible alternative to the captcha, or are we stuck jumping through more and more hoops to register at places?"
As a Christian fundamentalist, I cannot in good conscience believe that catchpas have evolved, yet at the same time since I can never figure out what to type to make them work, I cannot believe any intelligence was involved in their design.
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
The other day I saw a system that posed the question:
'Germany is a country in Africa?'
Your duty to prove you were human was to change it to the proper continent and the question mark to a period. Seems pretty fool proof, especially if you combine it with things like "and make 'country' all capitals."
In my mind, anything that can be put out by an automated system for purposes of determine whether the communications on the other end is from an automated system can, with enough ingenuity, be answered by an automated system. IOW, all 'captchas' and similar methods are ultimately defeatable. It's an arms race, just like DRM: clever people will always figure out how to defeat what protections you put in place no matter how clever your protections are.
My blog
What word did you have to type to prove you weren't a bot? A good sample might give us an insight into which words are used: why? I had to type 'interest' - which seems to have no real distinguishing feature.
Are they chosen for any good reason, or are they completely arbitrary? Are there letters that bots have trouble with? Fonts? Who knows?
The only thing that's sure is that every protection will eventually be broken.
What's more, maybe if you can't solve a simple word puzzle, I don't want you registering at my site...
There are 10 kinds of people in this world: those who understand binary, and nine other kinds of people.
Ask the user to perform a task that only a computer is likely to succeed at, like factorizing a 6-digit number. If the user gives the right answer, and this is the cunning part: Then it's not a human!
MAN, I feel clever some times.
OK, I am a bit shrotsighted, but still, some of the captcha are so garbled with bright color random pixel/forms while the font color of what was to be read was light gray/pink/blue on white background (and naturally distorted) that frankly I swore loudly while trying for the 5th time to enter the correct random combo of lower case, upper case and digits.
I am not sure if a picture is better, but it is defintively a step forward if I don't have to spend 5 time retrying.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
I find some of the most cryptic captchas on the ticketmaster site. granted that the site deserves a stringent bot control given the risk of scalpers but some of their patterns border on the ridiculous. TFA mentions someone who achieved 25% success in deciphering those ticketmaster ones and I am thinking, "how does he do that?!"
My sig has been answered.
I always get annoyed by captchas.. its like a forced human intelligence test.
We know that humans are more intelligent than scripts, so I always thought it should be easier to test the lack of intelligence in scripts than proving intelligence in humans.
For example just use a simple honeypot in a html form. Put a dummy input field in a form. You can hide the field with CSS/noscript tag or just mark it: "This field should be left intentionally blank" or something of that nature to make it more human friendly.
Seeing that all form fields are generally blank, the spambot/script will fill your dummy field. On server side check if the field has data, ignore the submission. It would be a VERY intelligent script that could COMPREHEND the purpose of any particular html input field.
my anonymous 2c
One day, everybody will have a digital ID. You know, the kind used to digitally sign e-mail. If you had to digitally sign your request to create an account with a certificate issued from a trusted CA, then using a bot creates the potential of the user having his digital certificate revoked.
With the likes of BugMeNot.com, which people can use to distribute usernames and passwords for websites, there is little incentive to collectively continuously register. Look at how many websites are eating us and desperately trying to hold our attention to feed them users. Maybe there is another model, one better than subscription-based?
examples are here (under Guidelines > Accessibility) and here
Mongrel News all the news that fits and froths
http://recaptcha.net/
Between ever-better computer image recognition algorithms and cheap offshore labor, captchas are doomed. Morevoer, captcha's don't even solve the actual problem because the goal isn't to distinguish human from nonhuman, but to distinguish spammer from nonspammer. This means we need some mechanism to identify a registrant and be aware of their behavior.
Why don't sites band together, share data on abusive registrants, and require each new registrant to provide "references" in the form of their logins to 3-5 other sites. A person with a normal online life could easily demonstrate a pattern of nonspammy behavior. People with no prior history might be placed on probation (their posts are reviewed and may not contain any link-like data). If a registrant posts spam they temporarily (or permanently) lose their accounts on that site and all connected sites.
At some point in time, the only thing that will work is a system that tracks the identity behind the account, assigns a reputation and ostracizes miscreants.
Two wrongs don't make a right, but three lefts do.
I read some time ago about a guy who wanted to spam a large ISP (Can't recall the company), so he created a porn site, botted the ISP and scraped the capchas, putting them on his porn site where a good old human was waiting to do the work for him. Seems porn can power anything.
I don't think many people know that its a canary with a machine gun. And i'm not sure i want that many people knocked off the internet in one swell foop
Replace the mangled-text-and-response captcha with a skill test, like punch-the-monkey. Maybe I could win an iPod while I'm at it.
Unrelated question....how do you validate the captcha if you are browsing with lynx?
Mod self -1,weird-mood-on-a-monday
Why, oh why, didn't I take the Blue Pill?
Yes, users need to answer riddles like in notpron. The kind you need 10 hours to find the solution /Grin/ :D
No wonder the OCR software can't read them... I had to reload about 4 times before I could identify both words, and even then, I can't help wondering why they added the extra strike-through to make it even harder.
Nick Waterman, Sr Tech Director, #include <stddisclaimer>
Shamus Young (the creator of the "DM of the Rings") recently introduced a captcha on his site to deal with comment spam. In his post about using a captcha on his site, he notes that:
Emphasis mine. He's running a fairly popular site, and using a captcha based off of a single, unchanging, three-character phrase. Just the presence of the captcha was enough to effectively eliminate his spam problem. The indication seems to be that just the presence of a captcha is enough to keep spam off of even a moderately popular site.
"Great men are not always wise: neither do the aged understand judgement." Job 32:9
I saw a site the other day that used a captcha.... except it was (when I visited) just a picture of a dog. Underneath it it said, "what is this?" and had a text field to type in what it was.
I typed in "dog" hit submit and it worked. I signed out, went back to the sign up page and got a picture of a lexus. I typed in "lexus" and it worked. I was curious if it would have worked if I typed in the actual model, or "car" or "sedan." So I refreshed the page continually through about 200 picture and I never got back to the Lexus, but I did get back to the dog. So this time I typed in "greyhound" and it worked.
To me that seemed like a cool captcha, its so open ended and seems to be extremely difficult (given enough images) for a machine to know what to say, but accepts enough "correct" answers that a person should have no problem.
crap.
"Unintelligent Design"?
Is that like "Despite the fact that God created the Universe, people keep getting stupider"?
Or is it some sly jab at Windows?
Or maybe it's a scientific theory derived from studying governments!
You are in a maze of twisty little passages, all alike.
If you read Shamus' blog post, he's not using a custom solution - he's using a standard Wordpress plugin that is configured to only offer up a single captcha phrase. Presumably, if he were to run into issues with using just the single phrase, he could update his configuration to use additional captcha phrases, without having to do any custom development.
"Great men are not always wise: neither do the aged understand judgement." Job 32:9
So rather than put the burden of proof on humans to prove they're not a machine, put the burden of proof on the machines to prove they're a human?
Take your average HTML form:
Rather than have 1 textbox for a field value, have 10. UserName1, UserName2, UserName3, etc.
Use javascript to randomly assign one of them as visible. The rest are hidden from the user.
On the server, watch to see which textbox is filled. Presumably, with decent enough javascript skills, and stupid enough bots, your humans will fill out what they see, which is the correct combination. The bots won't.
Granted, this method can be defeated if the bot checks for field level visibility after the page finishes loading, but even then, with decent enough javascript, you can continue to provide unobtrusive checks to ensure that your user is real -- e.g., unless the bot is running a macro through a web browser itself, your onblur events probably won't be tripped. And so on.
This puts a burden on the developers to come up with clever ways of defeating the bots, but in reality, that's where the battle is -- html application devs. vs spambot devs. Users shouldn't have to be dragged into the middle.
Captchas are annoying, but systems like Kittenauth are easy for humans to answer while defeating bots. If you have the user perform a task like "Click two pictures of kittens" it's very difficult for a bot to do this.
Personally I just keep it simple on my site, I have a box that says "Please type 'I am a human.'" into the box below. If that input field is empty or doesn't match then you know it was submitted by a bot.
Implement a standard CAPTCHA system, with fairly easy to read characters.
Then, for the challenge section, randomly select a prompt from the following (as an image, not plain text):
"Enter only the last letter of the captcha"
"Enter all the numbers included in the captcha"
"Enter all the letters included in the captcha"
"Enter the character from the captcha in reverse order"
"Enter all the vowels from the captcha"
"Enter all the consonants from the captcha"
"Enter the letter of the alphabet that follows the second letter shown in the captcha"
"Enter all the blue characters"
It seems to me that this would make the already-used captchas much harder to crack, as the bots would have to be able to recognize the captcha, locate the prompt graphic (which could be randomly inserted, along with "dummy" images), understand what the prompt is saying, and then apply its instructions to the captcha. Most humans should be able to do this (except maybe the consonant one, for people who never learned what a consonant is), but most computerized means that could do this would be more lucrative sold as commercial software than used to enter captchas on websites.
It is NOT meant for a very high end, extremely secure kind of captcha, but it does reduce the hassle for the end user because the original word is also given. So the letters of the original word act as clues for the mangled characters in the captcha -- thus helping people like me who can get confused between "f" and "i" etc, if placed on an inappropriate colored background
Well, you can read all about it here: http://www.syncspace.com/go/Capteacher