Next-Generation CAPTCHA Exploits the Semantic Gap

captcha_fun writes "Researchers at Penn State have developed a patent-pending image-based CAPTCHA technology for next-generation computer authentication. A user is asked to pass two tests: (1) click the geometric center of an image within a composite image, and (2) annotate an image using a word selected from a list. These images shown to the users have fake colors, textures, and edges, based on a sequence of randomly-generated parameters. Computer vision and recognition algorithms, such as alipr, rely on original colors, textures, and shapes in order to interpret the semantic content of an image. Because of the endowed power of imagination, even without the correct color, texture, and shape information, humans can still pass the tests with ease. Until computers can 'imagine' what is missing from an image, robotic programs will be unable to pass these tests. The system is called IMAGINATION and you can try it out." This sounds promising given how broken current CAPTCHA technology is.

Re:Too hard.

[MichaelSmith]

The general public will not know what "geometric" means*.

This Captcha suffers from the same old problem. As Captchas get harder more humans will fail them.

*or annotate... or centre Soon we will welcome computers to our online forums for their insightful, informative and interesting comments. The CAPTCHA will be there as an initial filter on the quality of posters. It will exclude stupid computers and stupid people.

Don't forget users of lynx

[Nursie]

It annoyed me mightily the day slashdot introduced captchas for comments when you weren't already logged in. And somehow broke the login process from lynx.

Lynx is the geek slacker's greatest tool, when run in an ssh session from your home server, not only is the traffic unloggable (except for "he's calling home a bit") but it even looks like work to the uninitiated.

Re:Blind people?

[phoenixwade]

I don't if it should be a concern. Do we lament that the blind and h-o-s cannot drive?

I think that's a pretty outrageous attitude.
{SNIPPED}
What's the cost of a system that allows a blind person to access text stored electronically on a computer? Pretty-much negligible. Here is where you fail to understand the problem.
    First, creating content is not negligible in cost.
    Second, creating an interface to deliver the content is not Negligable in cost.
    Third, Actually delivering the content to the masses isn't negligible in cost either.
    Fourth, as has been pointed out in other comments and in the article, the problem involves the creation of a technology that will allow your audience to access the content/service you are providing, while simultaneously preventing the use of automated systems to exploit your services by appearing to be your audience (i.e. a Human), because the failure to do so means that you may lose the entire technology, or at the very least render it substantially less useful and more expensive. Email, for example, is only being used 5% of the time as intended, the other 95% being spam (As seen on /. recently)

The thing is, the web should be a superb medium for making its content accessible to practically everyone. The information is already in a form that computers can manipulate easily.

If you use HTML as it was designed to be used, there is no additional cost in making it accessible. AH! Now I understand! You are in the wrong conversation and didn't realize it.

if you are using HTML only, the whole captcha debate is meaningless for you. HTML is designed for PUBLISHING information, captcha applies to web based applications that HTML is only a SMALL part of. After all, the only interactive part of HTML are the form elements. Since YOU aren't actually doing anything with the posted form information, YOU have no need for security and little to no need to verify that the entity on the other end of that pipe is a human, spyder, or spambot.

However, some of us do create applications that need to know this, because we want to provide services for actual humans, but do not want to provide another place for spambots to send out their crap.

Re:It's still trivially crackable.

[apoc.famine]

That was our solution to spambots on our small (12 active people or so) forum. We used very forum-specific questions to allow registration, and only registered users can post. If someone can't answer the questions, they aren't into the subject enough that we would want them there discussing it. Or they're a spammer, and don't know that the proper answer to the "what would you like to do to a spammer" question is the answer which is exceptionally painful.

But really, as long as you have an authentication method which is significantly hard/unique, you'll be safe. Spamming is a "low hanging fruit" operation. Quantity over qualify, 90% of the time. In fact, the answer to killing off spambots might very well be everyone designing their own authentication. Right now, there are a half-dozen major ones. Crack one, and you have access to millions of places. If instead there were thousands, the time required to break one would not necessarily be worth the money you could get from doing it.

Our forums are not worth programming the automated bots to crack, so we're 100% spam free now, for the first time in a few years. It's not a hard authentication - just different from 99.9% of the rest of them. Hell, most people could answer "what color is this page", even if they had to look at the raw html and google the color hex. But for one page, it's not worth programming a bot to do. Unique authentication methods will kill spambots.

hotcaptcha

[SCHecklerX]

I like this better:

http://www.hotcaptcha.com/