Slashdot Mirror
Building a Better CAPTCHA
jcatcw writes "Steven J. Vaughan-Nichols reports that CAPTCHA cracking isn't that difficult these days. It has even become a business. For example, DeCaptcher.com will solve CAPTCHAs for your spamming needs at a rate of $2 per 1,000 successfully cracked CAPTCHAs. In response, newer systems are in development. Both Carnegie Mellon and Penn State (is there something about the water in PA?) are working on image-based systems. ESP-PIX and SQ-PIX both require the viewer to interpret pictures. Imagination CAPTCHA from Penn has the user find the center of an image. The idea is that humans are better at image recognition that computers, but humans can legitimately disagree on their interpretations and some humans are color blind. Problems remain. For now, sites would be well advised to look at reCAPTCHA — the system that works with Google Books and the Internet Archive to digitize printed texts — which comes with a wide variety of application and programming plug-ins and an open API."
I know _I_ often have trouble seeing those... Maybe some sort of an animated .gif would be better?
I speak for everyone. Captchas SUCK.
Get rid of them.
C.A.P.T.C.H.A - Completely Automated Public Turing test to tell Computers and Humans Apart.
This is a dying technology.
1) Computers and synthetic systems in general are ONLY going to get better at doing anything a human can do. I mean anything.
2) Humans are a substitute for our lack of a synthetic system to solve a CAPTCHA.
A CAPTCHA has two answers to it's owner. This is a Human and this is a Computer. Humans can be hired to solve CAPTCHA at economically viable rates to meet the demand with a supply. Computers are catching up at being able to solve various CAPTCHAs creating an "arms race" between developers and those that need to crack CAPTCHA automatically with high throughput.
The window for this technology to be effective in its use is shrinking rapidly and it will only be a matter of time before it is nearly impossible to tell without phsyical inspection what is a synthetic human reponse and an actual one.
Even if they had a perfect system that could tell a person from a computer, how can they prevent a CAPTCHA for porn system?
(You make a website offering porn for entering the solution to a CAPTCHA from a 2nd site, and then use that solution on that 2nd site)
If I have nothing to hide, don't search me
Instead of one little captcha at the end of a web form, the whole site will be a captcha.
All the form labels will be jumbled images, and there will be 9 form submit buttons, 8 with dogs and 1 with a cat.
All textual content can be a mangled image to stop scrapers as a bonus.
Oh and please don't actually build this.
I thought the ideal captcha would be worded questions presented in the same image-like format as current captchas, e.g. "Two and Two makes?" or "The opposite of day is..?" Whilst the image recognition is now feasible, making a general system to solve this problem would be somewhat more difficult than just improved single-word captchas.
Annoyingly, however, the system to create such captchas cannot really be automated (in terms of creating the questions). So I suppose as long as the captchas are computer created / can be made automatically, they will also be computer crackable/solvable
Any CAPTCHA system can easily be cracked by building a large database with the inputs and outputs that was actually solved by humans and then saved into the database for lookup later. The inputs don't need to be text, they can contain images ( or hash codes representing images ), or css or whatever is needed to define the input data. The only feasable way to stop this kind of caching of answers is to have no duplicate tests. For example, a large field of randomly colored circles that all vary in size and position and move slowly around, then tell the user to hover the mouse over the largest blue circle and then next have them move the mouse over the green triangle, etc. Then base their "pass or fail" on how well they could move the mouse fast enough. And change the test often, like, put the mouse over the shape that looks like a bunny etc.
Will this detect Cylons?
No one could ever predict that it would be spammers and porn merchants who would solve the hardest problems in AI.
Enough with the annoying captcha's stop comment spam by just analyzing the content.
Free and works well:
http://defensio.com/
I really hate image-based CAPTCHAS, because they discriminate against lynx users. I seriously remember at least one occasion where I was using lynx for whatever obscure reason, and I came upon "enter the text shown in the box at the left". Fail. I like the math problem ones better.
The idea is that humans are better at image recognition that computers, but humans can legitimately disagree on their interpretations and some humans are color blind.
COLOR blind? Some humans are BLIND blind. Others have various vision or vision processing impairments that would make meatware-visual-coprocessor-test CAPTCHAs reject them.
IMHO most CAPTCHAs are already and obviously violating of the Americans with Disabilities Act. So now, in the info-war between weapons and armor (which weapons always win anyhow), even more of us less-than-Aryan-Supermen become collateral damage.
Dogs are (allegedly) color blind and "... on the Internet nobody can tell you're a dog!". Well, maybe PEOPLE can't. But now the web applications can. B-(
The solution to being attacked by better weapons is not better armor. That's only a stopgap. The solution is to hunt down those who misuse weapons and make them incapable of or unwilling to continue.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
...even though CraigsList uses reCAPTCHA and the article talks about a utility that helps spammers automatically post on CL.
Besides, it's fairly easy to set up a Mechanical Turk HIT for users to solve CAPTCHAs for a penny a piece. Assuming you make more than a penny per captcha solved, you're set. If not, make someone successfully solve more than one CAPTCHA per HIT submission.
I claim first use of "Error No. 0B" - or "No. 0B error." It'll be the new ID 10T!
Presumably the universe of tunes every internet user could be expected to know is quite small, so it would only be a matter of matching to that set. There's already an iPhone app (Shazam, I think it's called) that can identify ambient music and send you to the iTunes purchase link. That's presumably a much harder problem (a vastly bigger universe and probably poorer sound quality), and it's already been solved.
.sig withheld by request
Give me the frames of such an animation and I can trivially write a program that simulates persistence of vision by smearing the pixels over time, thus making it solvable by a computer.
In the long run, CAPTCHAs are doomed.
I stole this sig from someone cleverer than me.
I'm not sure how, yet, but I want people to start thinking about it this way.
Just like DRM.
See, with DRM, start with the assumption that all DRM can and will be cracked, and that all software and media can and will be pirated. Your challenge, then, is to make the legitimate product provide at least the quality and value of the pirated copy (something most DRM'd solutions fail miserably at), and ideally make it desirable enough that your price starts to seem reasonable, even when the alternative is "free".
So, the same applies to CAPTCHAs. Start with the assumption that all CAPTCHAs can and will be cracked, even if "cracking" means "using Mechanical Turk and/or a real sweatshop to have humans crack it". Now, start thinking in terms of economics. Build a system which doesn't have sufficiently good payoff for cracking it for anyone to bother -- a system which, by its very nature, can't be spammed.
If you can at least get it to where the only waste is bandwidth and disk space, you're doing pretty good. That's about my current spam situation -- it's a statistical filter which operates on the entire message, but it works incredibly well.
Until then, an automated hack that seems to work well, at least to stop blog spam, is to require AJAX, and send a bit of programmatically generated (but always different) JavaScript, and verify that it was executed. This will stop most automated systems until they start specifically targeting you with embedded Javascript engines. Next: Make it computationally expensive, so that they have to use a botnet if they're to get any real results.
Don't thank God, thank a doctor!
I was thinking brute force isn't feasible when every failure generates a new question.
But let me take another stab at it.
What if the question wasn't always "what is in the picture?"
Given a database of 1000 basic images like animals, shapes, fruits, and vegetables matched to the word for what each one is and it's catagory (animal, fruit, etc).. Now the CAPTCHA shows 6 of them in 6 little squares. (~985 quadrillion combinations) It can ask a nearly endless list of questions using simple formulae:
What is the third image?
How many animals are shown? Spell the number.
Type the first 2 letters of each fruit.
Type the shape names using no spaces.
Instead of always asking "what are the 5 digits" now we're asking for an almost arbitrary number of digits. And there are 6 picture images that have to be ID'd.
Did I beat the OCR problem w/o introducing any fatal new ones?
Operator, give me the number for 911!
Who the hell knows that shit??? O_o
Google.
In other news, it's probably a bad idea to base a captcha on something Google will look up for you.