Slashdot Mirror

← Back to Stories (view on slashdot.org)

Now Even Photo CAPTCHAs Have Been Cracked

Posted by timothy on from the given-enough-eyeballs dept.

MoonUnit writes "Technology Review has an interesting article about the way CAPTCHAS are fueling AI research. Following recent news about various textual CAPTCHAs being cracked, the article notes that a researcher at Palo Alto Research Center has now found a way crack photo-based CAPTCHAs too. Most approaches are based on statistical learning, however, so Luis von Ahn (one of the inventors of the CAPTCHA) says it is usually possible to make a CAPTCHA more difficult to break by making a few simple changes."

11 of 340 comments (clear)

  1. I don't get it by ilovegeorgebush · · Score: 4, Interesting

    To detect humans, wouldn't it be easier and less costly, and perhaps even more effective, to hold a large database of questions that are readable and solvable only by humans?

    Asking simple math or site-relevant questions are not only easier for humans (I'm talking about "What's 5 - 3") to read, but they're harder for automated parsing by software to crack.

    --
    ilovegeorgebush
    1. Re:I don't get it by Abstrackt · · Score: 5, Interesting
      The best security I've seen on a sign-up form was "if you're a human, please leave this field blank". Bots tend to fill in all fields, so this already goes a long way towards filtering them out.

      You can even take this approach one step further and use CSS to move the field outside the viewable range of the page or set its visible property to false so the user won't even see it.

      --
      They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
    2. Re:I don't get it by VeNoM0619 · · Score: 3, Interesting

      Asirra asks users to correctly classify images of either cats or dogs using a database of three million images provided by animal-rescue organizations.

      Only cats and dogs. Like I said earlier, don't limit it to just a few species. Pick one at random.

      Example: You are shown 20 pictures, all of random animals, it asks which one is the cutest aardvark, then which is the happiest turtle. Continuing random traits with random animals. Their flaw was limiting it to just dogs and cats.

      Or to take it to a different level. Most attractive/sexy/cute/old/etc. female(or male). Computers cannot tell what is the "most" prevalent "society" based trait of a picture. Yes, there's programs that make peoples photos "more attractive" but that tends to fail half the time, not to mention, it doesn't compare 12 other people.

      The TFA program only knows, "given x what is a y". And that had a 50% chance to guess between cat/dog. Not: given a-x, rank y in order from best to worse.

      --
      Disclaimer: I am not god.
      We may not be created equal
      But we can be treated equal.
  2. How about by Rik+Sweeney · · Score: 5, Interesting

    Instead of asking someone to type in the letters, numbers or how many cats there are in the photo, just randomly generate some scenario:

    "Jim and Sue go to the park on Sunday. Billy the dog goes too."

    Then you can ask random questions like:

    "What is the name of the dog?"
    "What day did they go to the park?"
    "Where did they go?"

    That might work OK for a while...

    --
    Summation 2
  3. Not a security feature by lb746 · · Score: 4, Interesting

    CAPTCHA is not a security feature. It's a way to help avoid robots pretending to be humans. Anyone using it as a security feature is just giving more reasons for people to find ways to break them.

    All in all, it's time to get rid of CAPTCHA and move on to some more logical system that would be more difficult, such as a system where users are asked to answer a simple question that contains the answer, such as:

    If you were born in 1973 and JFK was shot in 1961, were you alive when he was shot?

    How many liters of water fit into a five-liter bottle?

  4. Ofcourse it's possible:But is it doable by humans? by anomnomnomymous · · Score: 3, Interesting

    "...says it is usually possible to make a CAPTCHA more difficult to break by making a few simple changes."

    Yes, it's possible: But keep in mind that you also have to serve the USER. When the captcha is getting so hard I can't even decipher it anymore (let alone someone with a visual handicap), it's of no use.

    I stopped using Rapidshare because of its ultra annoying 'mark the cats'-captcha: I found it near-impossible to get that right (though the other day I noticed changed that back to ordinary letters).

    --
    When you shoot a mime, do you use a silencer?
  5. Get the questions from the users by John+Hasler · · Score: 3, Interesting

    How about asking every nth person successfully logging in to generate a question? Apply a lameness filter and then perhaps ask another randomly chosen user to verify that the question is reasonable. Reject duplicates and questions that too many people can't answer.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  6. Re:damn it by Beardo+the+Bearded · · Score: 5, Interesting

    Ah-hah! I've got the answer to our CAPTCHA problems:

    We just make them so hard that it becomes impossible for a human to solve it. Then we invert the solution: if you pass the CAPTCHA, you're obviously a bot, because a human can't solve it. FAIL the CAPTCHA, we know that you're human.

    --

    ---
    ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
  7. But, spammers ARE humans! by Wyck · · Score: 4, Interesting

    Well, it seems to me that spammers ARE humans. So trying to detect if the creator of the account is human or not doesn't separate the spammers from the non-spammers.

    Think about it: the authenticating machines are designed by humans, and the perpetrating machines are also designed by humans, and the legitimate users are humans too.

    Perhaps the problem itself needs to be restated: Allow accounts to legitimate users, deny accounts to spammers. Whether or not there is a human involved on either end seems irrelevant.

    - Wyck

  8. Re:damn it by Chapter80 · · Score: 5, Interesting

    We just make them so hard that it becomes impossible for a human to solve it. Then we invert the solution: if you pass the CAPTCHA, you're obviously a bot, because a human can't solve it. FAIL the CAPTCHA, we know that you're human.

    You say this in jest, and I admit it made me smile, but we did something somewhat like this.

    We have a website with a contact form on it, that gets lots of spam. After numerous discussions with marketing about implementing CAPTCHAs, we decided to simply put a text box on the form that says "leave this blank", with the HTML form field named "comment". Humans leave it blank. And sure enough, the spammers cram their links into all form fields, so we can ignore their crap.

    We initially even made the form hidden (CSS font color and field color the same as the background), so a user wouldn't even see it. That was great.

    Not a perfect solution for all cases, but it worked pretty well for us.

  9. Re:damn it by Beezlebub33 · · Score: 5, Interesting

    Ah...reminds me of one of my favorite t-shirts:

    http://www.tshirthell.com/funny-shirts/fuck-the-colorblind/

    The underlying problem is that we're running out of things that are easy for people but hard for computers. Most attempts to expand or 'improve' visual CAPTCHA at this point will cause more pain to humans than reduction in computer success.

    So, let's change directions, and make the computer solve a different sort of problem. For example, a turing test of sorts, where the problem is to solve something that is difficult to parse programmatically, but relatively easy for a person to answer. Maybe the recent Turing test results are a good indication of what the questions should be. Multiple related questions would be an particularly interesting area; for example, ask related questions where pronouns are ambiguous (to a computer).

    --
    The more people I meet, the better I like my dog.