Now Even Photo CAPTCHAs Have Been Cracked

← Back to Stories (view on slashdot.org)

Now Even Photo CAPTCHAs Have Been Cracked

Posted by timothy on Tuesday October 14, 2008 @03:14AM from the given-enough-eyeballs dept.

MoonUnit writes "Technology Review has an interesting article about the way CAPTCHAS are fueling AI research. Following recent news about various textual CAPTCHAs being cracked, the article notes that a researcher at Palo Alto Research Center has now found a way crack photo-based CAPTCHAs too. Most approaches are based on statistical learning, however, so Luis von Ahn (one of the inventors of the CAPTCHA) says it is usually possible to make a CAPTCHA more difficult to break by making a few simple changes."

28 of 340 comments (clear)

Min score:

Reason:

Sort:

damn it by ThorGod · 2008-10-14 03:16 · Score: 5, Insightful

They're already hard to read. Why do I feel that soon I wont be able to read ANY of them!?

--
PS: I don't reply to ACs.
1. Re:damn it by Abstrackt · 2008-10-14 03:30 · Score: 5, Funny
  
  Don't worry. Apparently there are programs that can read them for you. ;)
  
  --
  They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
2. Re:damn it by Philip+K+Dickhead · 2008-10-14 03:53 · Score: 5, Funny
  
  These programs are Satan's rectum, poised to let loose over the web.
  
  --
  "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
3. Re:damn it by D'Sphitz · 2008-10-14 03:54 · Score: 5, Insightful
  
  Try being colorblind sometime. I've had several that I had to take a screenshot of, paste into photoshop and play with the contrast until i could read it. And even the ones without problem colors like red and green usually take several tries.
4. Re:damn it by Beardo+the+Bearded · 2008-10-14 03:59 · Score: 5, Interesting
  
  Ah-hah! I've got the answer to our CAPTCHA problems:
  We just make them so hard that it becomes impossible for a human to solve it. Then we invert the solution: if you pass the CAPTCHA, you're obviously a bot, because a human can't solve it. FAIL the CAPTCHA, we know that you're human.
  
  --
  
  ---
  ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
5. Re:damn it by electrictroy · 2008-10-14 04:05 · Score: 5, Funny
  
  So CAPTCHA images are ineffective at blocking the bots. No surprise. It won't be long before these AIs start joining Yahoo or Google mail for the same reasons we do: Chatting.
  tiredbot&yahoo.com : "Boy I had a rough day at work today. My user wanted me to compile a new program AND surf the internet at the same time!"
  spamalot@gmail.com: "Wow rough. I was lucky. My user took the day off, so I just spend the day spamming. I love how those humans react - sending me hategrams. hahahahaha! That just makes me want to send more spam! Fools."
  tiredbot&yahoo.com : "You are so bad girl."
  
  --
  The government is not your daddy. Its purpose is not to raid middle-class neighbors' wallets and give it to you.
6. Re:damn it by Soft+Cosmic+Rusk · 2008-10-14 04:30 · Score: 5, Funny
  
  It's just a matter of time before we start seeing reverse CAPTCHA's: Text that is so hard to read that only a computer can do it. If you copy the text correctly you are a spambot.
7. Re:damn it by Chapter80 · 2008-10-14 04:49 · Score: 5, Interesting
  
  We just make them so hard that it becomes impossible for a human to solve it. Then we invert the solution: if you pass the CAPTCHA, you're obviously a bot, because a human can't solve it. FAIL the CAPTCHA, we know that you're human.
  You say this in jest, and I admit it made me smile, but we did something somewhat like this.
  We have a website with a contact form on it, that gets lots of spam. After numerous discussions with marketing about implementing CAPTCHAs, we decided to simply put a text box on the form that says "leave this blank", with the HTML form field named "comment". Humans leave it blank. And sure enough, the spammers cram their links into all form fields, so we can ignore their crap.
  We initially even made the form hidden (CSS font color and field color the same as the background), so a user wouldn't even see it. That was great.
  Not a perfect solution for all cases, but it worked pretty well for us.
8. Re:damn it by Beezlebub33 · 2008-10-14 06:48 · Score: 5, Interesting
  
  Ah...reminds me of one of my favorite t-shirts:
  http://www.tshirthell.com/funny-shirts/fuck-the-colorblind/
  The underlying problem is that we're running out of things that are easy for people but hard for computers. Most attempts to expand or 'improve' visual CAPTCHA at this point will cause more pain to humans than reduction in computer success.
  So, let's change directions, and make the computer solve a different sort of problem. For example, a turing test of sorts, where the problem is to solve something that is difficult to parse programmatically, but relatively easy for a person to answer. Maybe the recent Turing test results are a good indication of what the questions should be. Multiple related questions would be an particularly interesting area; for example, ask related questions where pronouns are ambiguous (to a computer).
  
  --
  The more people I meet, the better I like my dog.
I don't get it by ilovegeorgebush · 2008-10-14 03:19 · Score: 4, Interesting

To detect humans, wouldn't it be easier and less costly, and perhaps even more effective, to hold a large database of questions that are readable and solvable only by humans?

Asking simple math or site-relevant questions are not only easier for humans (I'm talking about "What's 5 - 3") to read, but they're harder for automated parsing by software to crack.

--
ilovegeorgebush
1. Re:I don't get it by Lord+Pillage · 2008-10-14 03:22 · Score: 5, Funny
  
  Or better yet, after a dozen tries at the captcha allow entry into the site because obviously if it was a script trying to break the captcha it would have been successful by then.
  
  --
  try { Signature mysig = new CleverAttempt(); } catch(NonCleverSignatureException e) { postanyway(); }
2. Re:I don't get it by JeanBaptiste · 2008-10-14 03:23 · Score: 4, Insightful
  
  Asking simple math or site-relevant questions are not only easier for humans (I'm talking about "What's 5 - 3") to read, but they're harder for automated parsing by software to crack.
  How do you figure that would be harder for automated parsing software to crack? I would think that would be many times easier than to ICR an image that is purposely obfuscated. (I used to work on ICR software and I'd rather write an automated-question-parser)...
3. Re:I don't get it by blueg3 · 2008-10-14 03:24 · Score: 4, Insightful
  
  You have to consider the source of the questions. If the questions are human-generated, it's not economically feasible. Remember that they can train their CAPTCHA-defeating software by paying large numbers of people to supply the answers to CAPTCHAs. Even a very large database could fall to that approach.
  If the questions are machine-generated, then you're pitting a machine generating questions and answers against a machine designed to answer questions.
4. Re:I don't get it by El_Muerte_TDS · 2008-10-14 03:38 · Score: 4, Funny
  
  Good idea. Here are a few questions to start with:
  1) What is the best editor: Vi or Emacs?
  2) Was there a cabal?
  3) Did Romero make you his bitch?
  4) Rick Astley would never: give you up; let you down; run around and desert you; make you cry; say goodbye; tell a lie and hurt you?
5. Re:I don't get it by Abstrackt · 2008-10-14 03:57 · Score: 5, Interesting
  
  The best security I've seen on a sign-up form was "if you're a human, please leave this field blank". Bots tend to fill in all fields, so this already goes a long way towards filtering them out.
  You can even take this approach one step further and use CSS to move the field outside the viewable range of the page or set its visible property to false so the user won't even see it.
  
  --
  They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
6. Re:I don't get it by TorKlingberg · 2008-10-14 04:25 · Score: 4, Insightful
  
  Works for your personal site, not for Yahoo.
7. Re:I don't get it by xant · 2008-10-14 04:58 · Score: 5, Funny
  
  you're pitting a machine generating questions and answers against a machine designed to answer questions.
  You make it sound like that's hard. Here's a question that a machine could generate that another machine could not answer:
  "What number am I thinking of?"
  
  --
  It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
How about by Rik+Sweeney · 2008-10-14 03:21 · Score: 5, Interesting

Instead of asking someone to type in the letters, numbers or how many cats there are in the photo, just randomly generate some scenario:
"Jim and Sue go to the park on Sunday. Billy the dog goes too."
Then you can ask random questions like:
"What is the name of the dog?"
"What day did they go to the park?"
"Where did they go?"
That might work OK for a while...

--
Summation 2
1. Re:How about by Hatta · 2008-10-14 03:49 · Score: 4, Insightful
  
  Keep in mind you need questions that anyone with a 3rd-grade education could read and solve
  Why? Personally, I'd prefer to participate in forums that require a college level education to participate in.
  
  --
  Give me Classic Slashdot or give me death!
when... by cosmocain · 2008-10-14 03:21 · Score: 4, Insightful

...will we learn that, if there's a fundamental flaw in a protocol, there's no way we can prevent it from being abused. every measure will sooner or later have its counterpart and fail.
Re:CAPTCHAs kick-start Singularity by pitchpipe · 2008-10-14 03:24 · Score: 4, Funny

If only we could get them to work as hard at improving the products they are hawking as they work on sending their spam, I'd be rich as hell with a giant penis!

--
Look where all this talking got us, baby.
Not a security feature by lb746 · 2008-10-14 03:25 · Score: 4, Interesting

CAPTCHA is not a security feature. It's a way to help avoid robots pretending to be humans. Anyone using it as a security feature is just giving more reasons for people to find ways to break them.

All in all, it's time to get rid of CAPTCHA and move on to some more logical system that would be more difficult, such as a system where users are asked to answer a simple question that contains the answer, such as:

If you were born in 1973 and JFK was shot in 1961, were you alive when he was shot?

How many liters of water fit into a five-liter bottle?
1. Re:Not a security feature by Abstrackt · 2008-10-14 03:35 · Score: 5, Insightful
  
  CAPTCHA is not a security feature. It's a way to help avoid robots pretending to be humans. Anyone using it as a security feature is just giving more reasons for people to find ways to break them. All in all, it's time to get rid of CAPTCHA and move on to some more logical system that would be more difficult, such as a system where users are asked to answer a simple question that contains the answer, such as: If you were born in 1973 and JFK was shot in 1961, were you alive when he was shot? How many liters of water fit into a five-liter bottle?
  It sounds like a great idea, but I've met plenty of people who wouldn't be able to answer either of your questions. To steal a random quote from the internet:
  "Back in the 1980s, Yosemite National Park was having a serious problem with bears: They would wander into campgrounds and break into the garbage bins. This put both bears and people at risk. So the Park Service started installing armored garbage cans that were tricky to open -- you had to swing a latch, align two bits of handle, that sort of thing. But it turns out it's actually quite tricky to get the design of these cans just right. Make it too complex and people can't get them open to put away their garbage in the first place. Said one park ranger, "There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists."
  
  --
  They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
2. Re:Not a security feature by Anonymous Coward · 2008-10-14 03:36 · Score: 5, Funny
  
  > If you were born in 1973 and JFK was shot in 1961, were you alive when he was shot?
  I have developed a device that answers random yes/no questions correctly 50% of the time. Me and my flip-a-coin-bot will take over the world!
3. Re:Not a security feature by Anonymous Coward · 2008-10-14 04:00 · Score: 5, Funny
  
  Well, I think we have a capcha to prove someone is a lawyer.
Comment removed by account_deleted · 2008-10-14 03:57 · Score: 4, Insightful

Comment removed based on user account deletion
But, spammers ARE humans! by Wyck · 2008-10-14 03:59 · Score: 4, Interesting

Well, it seems to me that spammers ARE humans. So trying to detect if the creator of the account is human or not doesn't separate the spammers from the non-spammers.
Think about it: the authenticating machines are designed by humans, and the perpetrating machines are also designed by humans, and the legitimate users are humans too.
Perhaps the problem itself needs to be restated: Allow accounts to legitimate users, deny accounts to spammers. Whether or not there is a human involved on either end seems irrelevant.
- Wyck
What do you mean...? by dirtsurfer · 2008-10-14 04:23 · Score: 4, Funny

African or European water?