Now Even Photo CAPTCHAs Have Been Cracked

MoonUnit writes "Technology Review has an interesting article about the way CAPTCHAS are fueling AI research. Following recent news about various textual CAPTCHAs being cracked, the article notes that a researcher at Palo Alto Research Center has now found a way crack photo-based CAPTCHAs too. Most approaches are based on statistical learning, however, so Luis von Ahn (one of the inventors of the CAPTCHA) says it is usually possible to make a CAPTCHA more difficult to break by making a few simple changes."

CAPTCHAs kick-start Singularity

[wild_berry]

I'm sure I read a short story somewhere that featured the spam-bot arms-race triggering the singularity...

Re:CAPTCHAs kick-start Singularity

[CRCulver]

I too can't exactly recall who thought that up, but there are other references to the spam wars in general leading to the singularity. A few years ago Tim Boucher wrote a blog post jokingly asking if through spam the Internet was trying to communicate with us.

On the other hand, Venor Vinge sees spam as a sign we're not anywhere close to the glorious singularities that he conjured up in novels like A Fire Upon the Deep .

I don't get it

[ilovegeorgebush]

To detect humans, wouldn't it be easier and less costly, and perhaps even more effective, to hold a large database of questions that are readable and solvable only by humans?

Asking simple math or site-relevant questions are not only easier for humans (I'm talking about "What's 5 - 3") to read, but they're harder for automated parsing by software to crack.

Re:I don't get it

[Abstrackt]

The best security I've seen on a sign-up form was "if you're a human, please leave this field blank". Bots tend to fill in all fields, so this already goes a long way towards filtering them out.

You can even take this approach one step further and use CSS to move the field outside the viewable range of the page or set its visible property to false so the user won't even see it.

Re:I don't get it

[mateuscb]

What a conicidence, just today i read a blog talking about a really cool new way we could do CAPTCHAS. The idea seems golden! I can't understand why something like this hasn't been tried. If google or this game creator were to try this, it would take a long time for computers to even come close to breaking this. Check out the blog http://www.yuniti.com/BetterCaptcha

Re:I don't get it

[VeNoM0619]

Asirra asks users to correctly classify images of either cats or dogs using a database of three million images provided by animal-rescue organizations.

Only cats and dogs. Like I said earlier, don't limit it to just a few species. Pick one at random.

Example: You are shown 20 pictures, all of random animals, it asks which one is the cutest aardvark, then which is the happiest turtle. Continuing random traits with random animals. Their flaw was limiting it to just dogs and cats.

Or to take it to a different level. Most attractive/sexy/cute/old/etc. female(or male). Computers cannot tell what is the "most" prevalent "society" based trait of a picture. Yes, there's programs that make peoples photos "more attractive" but that tends to fail half the time, not to mention, it doesn't compare 12 other people.

The TFA program only knows, "given x what is a y". And that had a 50% chance to guess between cat/dog. Not: given a-x, rank y in order from best to worse.

Re:I don't get it

[grumbel]

The problem is that you cannot generate pictures of kittens automatically.

Of course you can, thats what we have 3d graphics for. The nice thing about 3d graphics is that you can randomly vary the pose, texture, background, camera angle and so on, so you can produce a pretty much infinite amount of 2d cat pictures. The nice thing about this is that the spammer only gets to see the final 2d render, not the 3d data used to generate it, that way you can easily generate the pictures, but the spammer will have a very hard time getting information out of them. And if cats aren't enough, you can throw a heapload of other 3d meshes into the mix. You can even make this extra hard in that you not only have to click on the picture with the cat, but the cat itself. The server knows where the cat is in the 2d picture, since he has the 3d data, the client on the other side has no easy way to figure that out, which makes brute forcing quite a bit harder. You can also have many variants of questions, like "click on the two cats that look the same" or "click on the cat that has the same texture like the carpet on which the dog lies" or whatever. And you can of course also throw the spammer off by having picture of the cat inside the scene where the cat itself is.

How about

[Rik+Sweeney]

Instead of asking someone to type in the letters, numbers or how many cats there are in the photo, just randomly generate some scenario:

"Jim and Sue go to the park on Sunday. Billy the dog goes too."

Then you can ask random questions like:

"What is the name of the dog?"
"What day did they go to the park?"
"Where did they go?"

That might work OK for a while...

Not a security feature

[lb746]

CAPTCHA is not a security feature. It's a way to help avoid robots pretending to be humans. Anyone using it as a security feature is just giving more reasons for people to find ways to break them.

All in all, it's time to get rid of CAPTCHA and move on to some more logical system that would be more difficult, such as a system where users are asked to answer a simple question that contains the answer, such as:

If you were born in 1973 and JFK was shot in 1961, were you alive when he was shot?

How many liters of water fit into a five-liter bottle?

Re:Not a security feature

[corsec67]

If you were born in 1973 and JFK was shot in 1961, were you alive when he was shot?

How many liters of water fit into a five-liter bottle?

That is also a CAPTCHA, "Completely Automated Public Turing test to tell Computers and Humans Apart." A CAPTCHA doesn't have to be text in an image, that is just an easy test to auto-generate.

And, it fails the "solve problems for porn" test. The problem is spammers using real people to do stuff en-masse, so any kind of CAPTCHA wouldn't prevent that.

Ofcourse it's possible:But is it doable by humans?

[anomnomnomymous]

"...says it is usually possible to make a CAPTCHA more difficult to break by making a few simple changes."

Yes, it's possible: But keep in mind that you also have to serve the USER. When the captcha is getting so hard I can't even decipher it anymore (let alone someone with a visual handicap), it's of no use.

I stopped using Rapidshare because of its ultra annoying 'mark the cats'-captcha: I found it near-impossible to get that right (though the other day I noticed changed that back to ordinary letters).

Get the questions from the users

[John+Hasler]

How about asking every nth person successfully logging in to generate a question? Apply a lameness filter and then perhaps ask another randomly chosen user to verify that the question is reasonable. Reject duplicates and questions that too many people can't answer.

Re:damn it

[Beardo+the+Bearded]

Ah-hah! I've got the answer to our CAPTCHA problems:

We just make them so hard that it becomes impossible for a human to solve it. Then we invert the solution: if you pass the CAPTCHA, you're obviously a bot, because a human can't solve it. FAIL the CAPTCHA, we know that you're human.

But, spammers ARE humans!

[Wyck]

Well, it seems to me that spammers ARE humans. So trying to detect if the creator of the account is human or not doesn't separate the spammers from the non-spammers.

Think about it: the authenticating machines are designed by humans, and the perpetrating machines are also designed by humans, and the legitimate users are humans too.

Perhaps the problem itself needs to be restated: Allow accounts to legitimate users, deny accounts to spammers. Whether or not there is a human involved on either end seems irrelevant.

- Wyck

Re:damn it

[Chapter80]

We just make them so hard that it becomes impossible for a human to solve it. Then we invert the solution: if you pass the CAPTCHA, you're obviously a bot, because a human can't solve it. FAIL the CAPTCHA, we know that you're human.

You say this in jest, and I admit it made me smile, but we did something somewhat like this.

We have a website with a contact form on it, that gets lots of spam. After numerous discussions with marketing about implementing CAPTCHAs, we decided to simply put a text box on the form that says "leave this blank", with the HTML form field named "comment". Humans leave it blank. And sure enough, the spammers cram their links into all form fields, so we can ignore their crap.

We initially even made the form hidden (CSS font color and field color the same as the background), so a user wouldn't even see it. That was great.

Not a perfect solution for all cases, but it worked pretty well for us.

Animals' size

How about putting two pictures of animals next to each other and writing "Which animal in real life is larger?"

Re:damn it

[Beezlebub33]

Ah...reminds me of one of my favorite t-shirts:

http://www.tshirthell.com/funny-shirts/fuck-the-colorblind/

The underlying problem is that we're running out of things that are easy for people but hard for computers. Most attempts to expand or 'improve' visual CAPTCHA at this point will cause more pain to humans than reduction in computer success.

So, let's change directions, and make the computer solve a different sort of problem. For example, a turing test of sorts, where the problem is to solve something that is difficult to parse programmatically, but relatively easy for a person to answer. Maybe the recent Turing test results are a good indication of what the questions should be. Multiple related questions would be an particularly interesting area; for example, ask related questions where pronouns are ambiguous (to a computer).