Slashdot Mirror

← Back to Stories (view on slashdot.org)

Audio CAPTCHAs Cracked; ReCAPTCHA Remains Strong

Posted by ryuzaki0 on from the captcha-captcha-chameleon dept.

Falkkin writes "Ars Technica reports that audio CAPTCHAs consisting of only distorted digits or letters can be easy to crack using machine learning techniques. This includes most of the audio CAPTCHAs currently in use on the Web. The reCAPTCHA team has discussed their new audio CAPTCHA, which is resistant to this attack."

24 of 157 comments (clear)

  1. I'm sick fo CATCHA by theaveng · · Score: 5, Interesting

    It was okay at first, but now it's reached the point where it takes me 3 or 4 tries to finally guess the letters.

    It's become more hassle than it's worth. Isn't there a better way to stop bots from getting accounts?

    --
    FOX NEWS.com should be BANNED from television and internet. Have the Congress take it over and give us Truespeak.
    1. Re:I'm sick fo CATCHA by LilGuy · · Score: 4, Interesting

      It's almost gotten to the point where it's easier for the bots to guess the letters than for an actual human.

      Reverse captcha?

      --

      You're nothing; like me.
    2. Re:I'm sick fo CATCHA by uglydog · · Score: 5, Funny

      trust me, his mom would be down for that. in fact, she handles multiple requests simultaneously. in the true multiple cores way, not the hyperthreading way

    3. Re:I'm sick fo CATCHA by socsoc · · Score: 5, Interesting

      A method I use is to put an input field with a name like "subject" in a contact form and then hide it via CSS. Then if that field is populated in the form submission, the server side drops the request.

      It isn't the most accessible-friendly method in the world, but once I started doing this, all spam submissions dropped out. It's not foolproof and it's just another step in an arms race, but I agree that CAPTCHAs have gotten out of hand. They are especially confusing to people who are not tech savvy and don't know why they are trying to decipher a spirograph drawing in order to do something simple on your website.

    4. Re:I'm sick fo CATCHA by X0563511 · · Score: 5, Insightful

      Well, kudos for using CSS instead of javascript to hide it.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    5. Re:I'm sick fo CATCHA by greatgregg · · Score: 4, Insightful

      This only works for small sites. Certainly the Yahoos and Googles of the world can't rely on something that can be broken with 2 minutes of hacking.

    6. Re:I'm sick fo CATCHA by Anonymous Coward · · Score: 4, Funny

      I'm trying to figure out what that translates to, but it's making my head hurt. So hyperthreading means she is "emulating" multiple "interfaces" with just one... Ow.

      BTW, CAPTHCA for this post? "Receptor".

    7. Re:I'm sick fo CATCHA by rhizome · · Score: 3, Funny

      And for your blind users...?

      I'm not the poster you're replying to, but I have a guess at how this works.

      First off, the blind person can't see, right? So the chances of them viewing source for a random page (or every form page they encounter) is probably pretty miniscule. At least I'll say it's comparable to the rate that sighted people view source as a matter of course in their browsing sessions.

      So OK, they aren't just reading the source, finding a hidden form field and wondering why this hasn't been presented to them by their screen reader. They've just been checking news, blogs, posting a comment or two here and there, but nowhere in their Internet Travels have they had to contend with this curious case of a hidden "Subject:" field. What to do?

      It turns out the answer is quite simple. That the blind person, much like their sighted counterpart, does not submit a given form with hidden fields filled in pegs them as a curious person indeed. Since the only submissions without the Subject field filled in will be from people who read the source and (for some reason) decided not to fill in the subject line, or people who just don't know about it. Quite the conundrum! Thankfully from the grandparent post, we know that posts with this hidden Subject: field are disposed of, deleted. Wacky, eh? So it seems, and I'm just speculating here, that filling in hidden fields is actually a way...hold on now...to determine that the submitter is not a person. Beyond that, and really

      I have no idea how he does this, blind people are not treated any differently in this regard.
      I know, right? It took me awhile to figure it out, but I think I at least have the gist of it.

      --
      When I was a kid, we only had one Darth.
  2. Screen capture by Dan+East · · Score: 4, Funny

    I'm half afraid to admit this publicly, but did anyone else try clicking the "play" button on screenshot of the audio CAPTCHA player in the first article? I took me a few tries before I realized it was only an image.

    --
    Better known as 318230.
  3. hell by nomadic · · Score: 3, Funny

    I'm a human being and I can't break audio captcha. Sounds like gibberish to me.

    1. Re:hell by numbsafari · · Score: 4, Insightful

      You're probably a bot.

    2. Re:hell by Lobster+Quadrille · · Score: 4, Funny

      Don't know what your problem is- I'm a perl script and I understood it just fine.

      --
      "The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
  4. Re:It doesn't matter too much anyway... by flux · · Score: 3, Interesting

    If you can make it to a longer time for a human to crack it, it would increase the costs. Double the time, double the cost.

    But, say, if it now takes 10 seconds to crack a captcha, it would need to take more than an hour to cost $1 per captcha :-).

    I wonder how a web-of-trust system combined with more difficult captchas (more trust -> easier captchas) would work; if a branch of the web is a spammer, it's easier to cut off.. But, this must've been suggested even in this context already, so hit me with the "your spam protection idea doesn't work, because.." form ;-).

  5. REPATCHA strong? by RiotingPacifist · · Score: 3, Interesting

    i thought RECAPATCHA was susceptible, as if enough bots guess the same answer on an image they will make that a valid answer. Does this not work or has nobody bothered?

    --
    IranAir Flight 655 never forget!
    1. Re:REPATCHA strong? by Anonymous Coward · · Score: 5, Interesting

      If you get it wrong, they'll temporarily start sending you captchas in which both words are known. The chances of a bot guessing both words correctly are minuscule.

  6. Solution to AI research? by ashp · · Score: 5, Funny

    They should just make a CAPTCHA that requires strong AI to crack; we could make a great leap ahead in AI by letting the spammers solve all the problems for us!

  7. RECAPTCHA by EddyPearson · · Score: 5, Insightful

    People crack CAPTCHAs for profit. They either sell the algorithms to spammers or spam themselves.

    The thing is, if you managed to reliably crack RECAPTCHA, then you've succeeded where all the best OCR software on the market has failed (All Recaptcha's are words that couldn't be deciphered by existing software). At which point there's big bucks to be made legally selling the software.

    --
    You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
  8. Re:Give it up already by compro01 · · Score: 4, Insightful

    Banning that way doesn't work real well when you consider dynamic IPs, distributed attacks (bot nets), proxies, etc.

    Unless you're willing to ban at least a third of the world, you're not going to get much out of that.

    --
    upon the advice of my lawyer, i have no sig at this time
  9. Audio requred by law by tepples · · Score: 5, Funny

    In my crystal ball I see some fool who does not turn off the sound on the PC in an office.

    By law, offices of companies over a certain size must accommodate people whose disability requires sound to do their jobs.

    Unfortunately, history has shown that many people also still have digital camera's that make the *click* noise

    By law, camera phones must make the click noise when operated within some countries to help fight voyeurism.

    1. Re:Audio requred by law by Waffle+Iron · · Score: 5, Insightful

      By law, camera phones must make the click noise when operated within some countries to help fight voyeurism.

      That's a great idea. However, we need a law for video cameras, too.

      I propose that by law, each video camera must be equipped with a prominent hand crank, and shall only record while the crank is being turned. Furthermore, as added protection, people with video cameras must wear a beret and carry a conical megaphone at all times while operating said device.

    2. Re:Audio requred by law by Ihmhi · · Score: 3, Funny

      I think forcing everyone who uses a video camera to dress up like a French cheerleader would fall under cruel and unusual punishment.

      --
      Random Thoughts From A Diseased Mind (Not For Dummies)
  10. Back to Old School Methods of Verification by Ron+Bennett · · Score: 4, Insightful

    Captchas are user unfriendly and relatively ineffective.

    A more effective route is to require a new user to submit their postal address and a phone number. Then the service mails a post card containing a verification code to the postal address and/or calls the phone number. Google does this for AdSense publishers.

    Ron

    1. Re:Back to Old School Methods of Verification by fuzzyfuzzyfungus · · Score: 3, Interesting

      One thing we could do more of(though it is not without risks of its own) would be looking at getting the account as only the first step, rather than the last. For instance, some free webmail service could rate limit new accounts to only X emails/hour, or change an account's rate limit according to how spammy its outgoing messages look(or, within a given service, how often other members mark that account's mail as spam). On forums, you could do the same in response to other user's moderation of posts.

      This would work relatively poorly for high value things like bank accounts (though high value stuff can be handled by more expensive means, like phone confirmation) but it could be quite useful for low value things like webmail accounts. The task of sorting humans from bots on a single computer generated task is getting ever harder, particularly if you need to make a binary yes/no decision on the spot; but giving an account greater or lesser resources according to how human its activity looks is much more tractable. It won't be perfect; but it should reduce the value to spammers of the accounts they do get.

  11. Re:Why are CAPTCHAs so stupid? by fuzzyfuzzyfungus · · Score: 4, Insightful

    The tricky bit with CAPTCHA is not just asking questions that are easy for humans and hard for AI. There is a huge field of well known stuff, common sense, basic knowledge, etc, etc. that would work. The problem is asking questions that are easy for AI to ask, easy for humans to answer and hard for AI to answer.

    If you have to manually populate your CAPTCHA, you have a problem. It costs just about as much(in money and time) to manually document a set of CAPTCHA questions as it would to build the set. If you can't generate questions automatically, your CAPTCHA will be expensive, or useless, or both. RECAPTCHA is interesting in that is a something of a hybrid. It makes use of real world complexity, from scanned documents; but largely automates the conversion of real world complexity into CAPTCHAs, which makes it fairly practical to use at a large scale.