Evolution of the 'Captcha'

← Back to Stories (view on slashdot.org)

Posted by CmdrTaco on Monday June 11, 2007 @12:36AM from the why-can't-i-even-read-them-half-the-time dept.

FireballX301 writes "The New York Times is running an article about the small word puzzles various sites use in order to defeat automated script registration while still letting humans through. It seems many people can't actually solve them anymore, so new alternatives (image recognition) are being created. This, of course, seems breakable as well — is there a feasible alternative to the captcha, or are we stuck jumping through more and more hoops to register at places?"

37 of 383 comments (clear)

Min score:

Reason:

Sort:

I am torn by jollyreaper · 2007-06-11 00:40 · Score: 5, Funny

As a Christian fundamentalist, I cannot in good conscience believe that catchpas have evolved, yet at the same time since I can never figure out what to type to make them work, I cannot believe any intelligence was involved in their design.

--
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
1. Re:I am torn by dattaway · 2007-06-11 00:46 · Score: 5, Funny
  
  Here in Kansas, captcha evolution has been subject to legal review. Kansas City's Road Runner is employing packet shaping to eliminate the evolution of captchas. You might not see the captcha, but others believe it exists.
2. Re:I am torn by lcoughey · 2007-06-11 01:09 · Score: 3, Interesting
  
  I thought I could avoid using Captcha's by simply request the user type in their IP address that I showed in at the bottom of the screen. I know that bot can easily get the IP address too...I was thinking that my request was vague enough that the bot wouldn't understand the question. My guess is that the bot didn't understand the question and reported the error to its writer. The writer must have explored my website, found the source of the error and then added a subroutine to deal with my question.
  
  This is really annoying...not damaging, just a big pain in the butt. I could start blocking the IP addresses being used, but that would be in vain, knowing how many zombies are out there.
3. Re:I am torn by jollyreaper · 2007-06-11 03:39 · Score: 3, Funny
  
  I think really we should be switching to riddles instead of captchas. "What walks on four legs in the morning, two in the afternoon and four in the evening?"
  
  That will sort the men from the bots. ;) That would be three legs in the evening and you would be describing my father. He's hungover in the morning, just about has his shit together in the afternoon but is already into the next bottle by evening.
  
  --
  Kwisatz Haderach
  Sell the spice to CHOAM
  This Mahdi took Shaddam's Throne
4. Re:I am torn by SPQR_Julian · 2007-06-11 03:53 · Score: 3, Funny
  
  I think really we should be switching to riddles instead of captchas. "What walks on four legs in the morning, two in the afternoon and four in the evening?" Thought it was three in the evening, not four.
  
  Yes, but that's what makes it such a challenge. Getting the riddle right when the joke is wrong will REALLY confuse the bots!
Knowledge tests... by Anonymous Coward · 2007-06-11 00:41 · Score: 3, Interesting

The other day I saw a system that posed the question:
'Germany is a country in Africa?'

Your duty to prove you were human was to change it to the proper continent and the question mark to a period. Seems pretty fool proof, especially if you combine it with things like "and make 'country' all capitals."
1. Re:Knowledge tests... by CrazyTalk · 2007-06-11 00:52 · Score: 5, Funny
  
  Ummm I dont think this would work in the US, where (considering our educational system) some people might answer "yes". In fact, some celebrity (I forget which) recently thought that Japan was a country in Africa, which is why Africa has the best sushi.
2. Re:Knowledge tests... by Anonymous Coward · 2007-06-11 01:02 · Score: 4, Funny
  
  No great loss in keeping people with that kind of education and/or intelligence away from the internet. Kinda like you'd like to keep the caveman with the club away from the nuclear bomb.
3. Re:Knowledge tests... by OhPlz · 2007-06-11 01:04 · Score: 3, Funny
  
  Well then, that's an added bonus, isn't it? It not only weeds out the spam bots, but also the celebrity know-nothings.
4. Re:Knowledge tests... by bobmarleypeople · 2007-06-11 01:05 · Score: 5, Funny
  
  I've seen several sites using questions similar to yours except they were more obvious. An example was:
  
  Which is a food?
  A) pink
  B) car
  C) Britney Spears
  D) Hamburger
  
  There is of course the possible registration by a disturbed and horny male who would say "Britney Spears" but you get the idea.
5. Re:Knowledge tests... by jollyreaper · 2007-06-11 01:43 · Score: 4, Funny
  
  I've seen several sites using questions similar to yours except they were more obvious. An example was:
  
  Which is a food?
  A) pink
  B) car
  C) Britney Spears
  D) Hamburger
  
  There is of course the possible registration by a disturbed and horny male who would say "Britney Spears" but you get the idea. Make sure you cook your Britney thoroughly first, no telling what diseases she's carrying.
  
  --
  Kwisatz Haderach
  Sell the spice to CHOAM
  This Mahdi took Shaddam's Throne
6. Re:Knowledge tests... by Hognoxious · 2007-06-11 01:44 · Score: 3, Funny
  
  There is of course the possible registration by a disturbed and horny male who would say "Britney Spears"
  Or Pink.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
7. Re:Knowledge tests... by kbox · 2007-06-11 02:08 · Score: 5, Insightful
  
  If there are four possible answers even a script will be right 1 in four time... So if they make a registration attempt every second they will still get 900 successful registions an hour.
  
  --
  God Be Gone
8. Re:Knowledge tests... by oliverthered · 2007-06-11 02:09 · Score: 4, Funny
  
  Kinda like you'd like to keep the caveman with the club away from the nuclear bomb.
  
  And then you voted for Bush, TWICE!!!!!!
  
  --
  thank God the internet isn't a human right.
9. Re:Knowledge tests... by Fred_A · 2007-06-11 06:21 · Score: 4, Funny
  
  "pink" is a common dessert on airlines.
  
  --
  
  May contain traces of nut.
  Made from the freshest electrons.
10. Re:Knowledge tests... by mu22le · 2007-06-11 12:45 · Score: 3, Insightful
  
  Your captcha can be defeated by a simple parser + google. Just see if "food+pink" has more hit than "food+hamburger".
  
  Also you would need a small army of people to write the question in the first place (actually you could try to generate category/item couples from a statistical analysis of wikipedia).
  
  Now that I think of it... it's just too easy to beat your captcha randomly (1/4 chances is not that bad for a script).
  
  On a funny note... captcha similar in spirit to the one you propose is http://www.hotcaptcha.com/ based on hotornot. At least it's worth a laugh :)
Alternative? by morgan_greywolf · 2007-06-11 00:41 · Score: 3, Insightful

In my mind, anything that can be put out by an automated system for purposes of determine whether the communications on the other end is from an automated system can, with enough ingenuity, be answered by an automated system. IOW, all 'captchas' and similar methods are ultimately defeatable. It's an arms race, just like DRM: clever people will always figure out how to defeat what protections you put in place no matter how clever your protections are.

--
My blog
1. Re:Alternative? by moranar · 2007-06-11 00:58 · Score: 4, Insightful
  
  Doesn't work well: a bot will be right 25% of the times, just by answering at random. And more pictures mean difficult layout, or small picture size. Plus, it becomes an undue hassle on real users.
  
  --
  "I think it would be a good idea!"
  Gandhi, about Internet Security
2. Re:Alternative? by twistedsymphony · 2007-06-11 01:16 · Score: 4, Insightful
  
  What ever happened to email validation?
  
  You give script your email address, it sends you an email and you follow a validation link within the email. Implementing this on my website where I had a captcha before got rid of 100% of the spam.
  
  There are also other little dirty tricks you can do to ensure it's a human on the other end, one of my favorites is to check the referrer URL when accepting a comment... if it's not being referred from my entry forum then it just happily throws the request away. Even if it's not spam it's probably something malicious anyway.
  
  Another thing I used to use that worked really well in conjunction with registration is "approving" any account in which the first post doesn't contain any links or any words on a "spam list". If the first post of the newly registered account contains any links or spam words at all, it's held for moderation and must be approved manually. A vast majority of the legit people leaving comments for the first time wont be including any links or talking about viagra on a tech site, no links or spam words means they've been validated as "not spam" and if they've included links it only takes a human a few seconds to qualify if the account should be canceled as spam or approved as a non-spam account. This one obviously takes some man power so it only really works on smaller sites. It might be easy for a spam bot to counteract this but the way it validates is not apparent, not to mention this is already after an email has been validated.
  
  --
  Collector's Edition
3. Re:Alternative? by Poromenos1 · 2007-06-11 03:10 · Score: 3, Funny
  
  I've found that not even this is necessary, I run a site with about 1000 visitors per day and the spam messages fell to zero when I included a field that said "Type in the box to prove you're human:".
  
  --
  Send email from the afterlife! Write your e-will at Dead Man's Switch.
4. Re:Alternative? by cyphergirl · 2007-06-11 04:46 · Score: 4, Interesting
  
  My husband and I run a forum for homebuilt aircraft and we've already got bots doing this. We're using captchas at registration, an email activiation link AND we have to have a moderator personally approve every registration...... and we still have some spammers who get through. I'm really beginning to think that there is an army of them out there earning .01 per hour to actually read our site and create profiles that match our user base. Some of the spammers have gone as far as to create signature blocks stating which type of kit they are building and the tail number they've reserved from the FAA. The account gets approved and then we've got hundreds of V1@grA posts to clean up in the morning.
  
  I read an advertisement recently -- apparently someone is collecting the URLs of web forum signup pages and then selling them to the botnets. I was thinking that maybe we could come up with a way of randomizing the signup page URL so that it would only work when the link is actually clicked on, but never got around to it. And let's be honest -- they'd figure that out too. *sigh*
  
  --
  --Insert catchy .sig line here--
Great idea by grimdawg · 2007-06-11 00:41 · Score: 3, Insightful

What word did you have to type to prove you weren't a bot? A good sample might give us an insight into which words are used: why? I had to type 'interest' - which seems to have no real distinguishing feature.

Are they chosen for any good reason, or are they completely arbitrary? Are there letters that bots have trouble with? Fonts? Who knows?

The only thing that's sure is that every protection will eventually be broken.

What's more, maybe if you can't solve a simple word puzzle, I don't want you registering at my site...

--
There are 10 kinds of people in this world: those who understand binary, and nine other kinds of people.
1. Re:Great idea by Turn-X+Alphonse · 2007-06-11 00:44 · Score: 4, Insightful
  
  So people with eye sight problems aren't welcome on your site then?
  
  I have perfect vision and I struggle to tell if some S/5/Zs are one of the letters. The fonts and distortion is getting worse and worse to the point where it's usually 2 or 3 attempts before I can get one correctly, purely because letters are so distorted in them these days.
  
  --
  I like muppets.
2. Re:Great idea by 0123456 · 2007-06-11 01:05 · Score: 5, Insightful
  
  Indeed: these things are getting to be an appalling nuisance. If I see a site that use them I increasingly just say 'fuck it' and leave; particularly the sites that keep asking for another one every few pages.
  
  Meanwhile, having an automated system feed them to Chinese people on $0.50 an hour can't be too hard, and they'll have at least as good a chance of getting the correct result as I do.
3. Re:Great idea by Jupix · 2007-06-11 02:51 · Score: 3, Interesting
  
  Heh, I remember once having to enter some cryptic captcha string into a text field at rapidshare or some nameless file hosting service. I think the problem with it was there was no discrimination between O and zero, or something to that extent. Anyway, the captcha sucked so much I misread it three times, in which the site replied with "You are a bot!" and shut me out of the system. Funny way of showing appreciation and respect to customers.
  
  By the way - since I started typing on this subject - I run a couple of phpBB forums which get quite a few spambots even daily. I've found the best way to deal with them is just to write your own captcha, or an extra form input, requiring dynamic input (doesn't have to be text). Even if your captcha is incredibly weak, it's not likely to be broken because no spambot developer is going to bother cracking a captcha of just one website. Widespread captcha MODs tend to get broken more often so they aren't half as effective.
  
  On my forum, I have a ten by five cell table filled with checkboxes, and a line of text that says "Please check ten of the checkboxes below", with the number changing on each pageload. The captcha only took me a couple of hours to code, and I haven't had a single spambot registration since I wrote it.
Inverted problem by sveinb · 2007-06-11 00:46 · Score: 5, Funny

Ask the user to perform a task that only a computer is likely to succeed at, like factorizing a 6-digit number. If the user gives the right answer, and this is the cunning part: Then it's not a human!

MAN, I feel clever some times.
Captcha too hard by aepervius · 2007-06-11 00:50 · Score: 4, Insightful

OK, I am a bit shrotsighted, but still, some of the captcha are so garbled with bright color random pixel/forms while the font color of what was to be read was light gray/pink/blue on white background (and naturally distorted) that frankly I swore loudly while trying for the 5th time to enter the correct random combo of lower case, upper case and digits.

I am not sure if a picture is better, but it is defintively a step forward if I don't have to spend 5 time retrying.

--
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
1. Re:Captcha too hard by Snaller · 2007-06-11 03:19 · Score: 5, Funny
  
  "OK, I am a bit shrotsighted,"
  
  And dyslexic.
  
  --
  If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
Stop testing the Humans, test the Robots by Anonymous Coward · 2007-06-11 00:53 · Score: 5, Insightful

I always get annoyed by captchas.. its like a forced human intelligence test.
We know that humans are more intelligent than scripts, so I always thought it should be easier to test the lack of intelligence in scripts than proving intelligence in humans.

For example just use a simple honeypot in a html form. Put a dummy input field in a form. You can hide the field with CSS/noscript tag or just mark it: "This field should be left intentionally blank" or something of that nature to make it more human friendly.

Seeing that all form fields are generally blank, the spambot/script will fill your dummy field. On server side check if the field has data, ignore the submission. It would be a VERY intelligent script that could COMPREHEND the purpose of any particular html input field.

my anonymous 2c
1. Re:Stop testing the Humans, test the Robots by jimstapleton · 2007-06-11 00:57 · Score: 5, Interesting
  
  have a random or semi random set of field names, with an associated "key" field. Use the key field to retrieve the field names of interest. Also have a "name" and "password" field set up so they are invisible to a normal user.
  
  Block any IP submitting a non-blank "name" or "password" field.
  
  --
  34486853790
  Connection too slow for X forwarding? Try "ssh -CX user@host"
2. Re:Stop testing the Humans, test the Robots by Kijori · 2007-06-11 02:09 · Score: 4, Informative
  
  The problem is that the solutions are being coded for individual sites not one size fits all. A custom solution would have no problem with that system at all.
3. Re:Stop testing the Humans, test the Robots by CodeBuster · 2007-06-11 06:28 · Score: 3, Informative
  
  It would be a VERY intelligent script that could COMPREHEND the purpose of any particular html input field.
  
  Not really, considering that most of these scripts are targeted at large sites (yahoo, hotmail, etc) OR common site frameworks (PhpNuke, Drupal, Blogger, etc) where common hidden field input patterns would very quickly be tested and coded around by the script writers. The whole point of CAPTCHA in the first place was that it presented a random and dynamic test which was easy enough for users to solve (at least in theory) while hard enough to foil simple analysis by script. This might work on a small custom website where it is not worth the trouble of the script writers to code a version specifically for the hidden input pattern of your site, but this hidden field stuff was tried and failed on big sites even before CAPTCHA was in common use.
Digital Certificates are the answer by rtobyr · 2007-06-11 00:57 · Score: 3, Insightful

One day, everybody will have a digital ID. You know, the kind used to digitally sign e-mail. If you had to digitally sign your request to create an account with a certificate issued from a trusted CA, then using a bot creates the potential of the user having his digital certificate revoked.
See you in court? by tepples · 2007-06-11 01:02 · Score: 5, Funny

Ask the user to perform a task that only a computer is likely to succeed at, like factorizing a 6-digit number. If the user gives the right answer, and this is the cunning part: Then it's not a human! Now you're discriminating against autistic savants like Dustin Hoffman's character in Rain Man, in possible violation of disability discrimination acts in the United States, the United Kingdom, or other countries. See you in court.
Captcha effectiveness isn't related to difficulty by Samrobb · 2007-06-11 02:36 · Score: 4, Interesting

Shamus Young (the creator of the "DM of the Rings") recently introduced a captcha on his site to deal with comment spam. In his post about using a captcha on his site, he notes that:

... I used to get many hundreds of spam a day. Traffic here has jumped up since then, and I wouldn't be at all surprised to find I'm getting a couple of thousand a day by this point. But all of them bounce off the CAPTCHA, and I never even see them. I only see a spam make it through about once every other week, and I'm betting the ones that do make it though are entered manually... In any case, these are really impressive results for a CAPTCHA with only one short phrase that never changes.

Emphasis mine. He's running a fairly popular site, and using a captcha based off of a single, unchanging, three-character phrase. Just the presence of the captcha was enough to effectively eliminate his spam problem. The indication seems to be that just the presence of a captcha is enough to keep spam off of even a moderately popular site.

--
"Great men are not always wise: neither do the aged understand judgement." Job 32:9
Re:Unintelligent design by ConceptJunkie · 2007-06-11 03:24 · Score: 3, Funny

"Unintelligent Design"?

Is that like "Despite the fact that God created the Universe, people keep getting stupider"?

Or is it some sly jab at Windows?

Or maybe it's a scientific theory derived from studying governments!

--
You are in a maze of twisty little passages, all alike.
Captcha wastes (human) time and frustrates users by jeremy+f · 2007-06-11 04:54 · Score: 3, Interesting

So rather than put the burden of proof on humans to prove they're not a machine, put the burden of proof on the machines to prove they're a human?

Take your average HTML form:

Rather than have 1 textbox for a field value, have 10. UserName1, UserName2, UserName3, etc.

Use javascript to randomly assign one of them as visible. The rest are hidden from the user.

On the server, watch to see which textbox is filled. Presumably, with decent enough javascript skills, and stupid enough bots, your humans will fill out what they see, which is the correct combination. The bots won't.

Granted, this method can be defeated if the bot checks for field level visibility after the page finishes loading, but even then, with decent enough javascript, you can continue to provide unobtrusive checks to ensure that your user is real -- e.g., unless the bot is running a macro through a web browser itself, your onblur events probably won't be tripped. And so on.

This puts a burden on the developers to come up with clever ways of defeating the bots, but in reality, that's where the battle is -- html application devs. vs spambot devs. Users shouldn't have to be dragged into the middle.