Next-Generation CAPTCHA Exploits the Semantic Gap

captcha_fun writes "Researchers at Penn State have developed a patent-pending image-based CAPTCHA technology for next-generation computer authentication. A user is asked to pass two tests: (1) click the geometric center of an image within a composite image, and (2) annotate an image using a word selected from a list. These images shown to the users have fake colors, textures, and edges, based on a sequence of randomly-generated parameters. Computer vision and recognition algorithms, such as alipr, rely on original colors, textures, and shapes in order to interpret the semantic content of an image. Because of the endowed power of imagination, even without the correct color, texture, and shape information, humans can still pass the tests with ease. Until computers can 'imagine' what is missing from an image, robotic programs will be unable to pass these tests. The system is called IMAGINATION and you can try it out." This sounds promising given how broken current CAPTCHA technology is.

Re:Blind people?

[Ngarrang]

The blind and hard-of-sight have always been poorly served by what is a very visual medium. I don't think will be changing anytime soon. And for that matter (and this may across harsh), I don't if it should be a concern. Do we lament that the blind and h-o-s cannot drive?

The cost of being all-inclusive can be too high for some budgets.

Re:Too hard.

[MichaelSmith]

The general public will not know what "geometric" means*.

This Captcha suffers from the same old problem. As Captchas get harder more humans will fail them.

*or annotate... or centre Soon we will welcome computers to our online forums for their insightful, informative and interesting comments. The CAPTCHA will be there as an initial filter on the quality of posters. It will exclude stupid computers and stupid people.

Don't forget users of lynx

[Nursie]

It annoyed me mightily the day slashdot introduced captchas for comments when you weren't already logged in. And somehow broke the login process from lynx.

Lynx is the geek slacker's greatest tool, when run in an ssh session from your home server, not only is the traffic unloggable (except for "he's calling home a bit") but it even looks like work to the uninitiated.

mechanical turk

[192939495969798999]

Just hire out cracking it to a mechanical turk service, and log their results to a database. Before long, you'll have a system capable of monte-carlo guessing at a high rate of accuracy. The computer doesn't need to know much about the image to make an educated guess with a large enough data pool of previous solutions.

Re:It's still trivially crackable.

[Arancaytar]

Trivia questions. Most internet communities are dedicated to some kind of specific topic. Even someone who is unfamiliar with the trivia can use Google, which the machine cannot.

(Also, said trivia questions will be applicable only to one specific site, so it would never pay for the spammers to build a database of them.)

Re:Blind people?

[phoenixwade]

I don't if it should be a concern. Do we lament that the blind and h-o-s cannot drive?

I think that's a pretty outrageous attitude.
{SNIPPED}
What's the cost of a system that allows a blind person to access text stored electronically on a computer? Pretty-much negligible. Here is where you fail to understand the problem.
    First, creating content is not negligible in cost.
    Second, creating an interface to deliver the content is not Negligable in cost.
    Third, Actually delivering the content to the masses isn't negligible in cost either.
    Fourth, as has been pointed out in other comments and in the article, the problem involves the creation of a technology that will allow your audience to access the content/service you are providing, while simultaneously preventing the use of automated systems to exploit your services by appearing to be your audience (i.e. a Human), because the failure to do so means that you may lose the entire technology, or at the very least render it substantially less useful and more expensive. Email, for example, is only being used 5% of the time as intended, the other 95% being spam (As seen on /. recently)

The thing is, the web should be a superb medium for making its content accessible to practically everyone. The information is already in a form that computers can manipulate easily.

If you use HTML as it was designed to be used, there is no additional cost in making it accessible. AH! Now I understand! You are in the wrong conversation and didn't realize it.

if you are using HTML only, the whole captcha debate is meaningless for you. HTML is designed for PUBLISHING information, captcha applies to web based applications that HTML is only a SMALL part of. After all, the only interactive part of HTML are the form elements. Since YOU aren't actually doing anything with the posted form information, YOU have no need for security and little to no need to verify that the entity on the other end of that pipe is a human, spyder, or spambot.

However, some of us do create applications that need to know this, because we want to provide services for actual humans, but do not want to provide another place for spambots to send out their crap.

Re:Blind people?

[Darundal]

Yeah, anyone try to pull anything off of rapidshare recently? I am not hard of sight, blind, or colorblind, but have yet to been able to *LEGITIMATELY* download anything off their service because of their captcha.

Re:I think RapidShare has a good one

[psy]

Only problem was it took me 5-6 goes to understand how to do it.

It says select 4 letters (when there are numbers and letters)..

Then took me a while to realise there were cats and dogs.. i thought it was just random.

Other bad part about it was that there was a 30 second delay inbetween each attempt!

Can we create even bigger annoyances for users?

[dbmasters]

Are there not back-end ways to filter out spam that doesn't totally inconvenience the user? Yes, there are, I have done it on numerous web sites with great success by scanning the content being submitted for signs of spam and garbage input. Granted, every application has different input available to scan, so the methods I have used likely won't work for everybody, but it's done a great job for the applications it does fit in, such as contact forms, site registrations and such things...CAPTCHA is only a greater annoyance for the user...just like long registration processes for software, dongles and similar systems, they serve only to annoy the legitimate users.

Re:It's still trivially crackable.

[apoc.famine]

That was our solution to spambots on our small (12 active people or so) forum. We used very forum-specific questions to allow registration, and only registered users can post. If someone can't answer the questions, they aren't into the subject enough that we would want them there discussing it. Or they're a spammer, and don't know that the proper answer to the "what would you like to do to a spammer" question is the answer which is exceptionally painful.

But really, as long as you have an authentication method which is significantly hard/unique, you'll be safe. Spamming is a "low hanging fruit" operation. Quantity over qualify, 90% of the time. In fact, the answer to killing off spambots might very well be everyone designing their own authentication. Right now, there are a half-dozen major ones. Crack one, and you have access to millions of places. If instead there were thousands, the time required to break one would not necessarily be worth the money you could get from doing it.

Our forums are not worth programming the automated bots to crack, so we're 100% spam free now, for the first time in a few years. It's not a hard authentication - just different from 99.9% of the rest of them. Hell, most people could answer "what color is this page", even if they had to look at the raw html and google the color hex. But for one page, it's not worth programming a bot to do. Unique authentication methods will kill spambots.

hotcaptcha

[SCHecklerX]

I like this better:

http://www.hotcaptcha.com/