A Vision For a World Free of CAPTCHAs

An anonymous reader writes "Slate argues that we're going about verifying humans on the Web all wrong: 'As Alan Turing laid out in the 1950 paper that postulated his test, the goal is to determine whether a computer can behave like a human, not perform tasks that a human can. The reason CAPTCHAs have a term limit is that they measure ability, not behavior. ... the random, circuitous way that people interact with Web pages — the scrolling and highlighting and typing and retyping — would be very difficult for a bot to mimic. A system that could capture the way humans interact with forms algorithmically could eventually relieve humans of the need to prove anything altogether.' Seems smart, if an algorithm could actually do that."

I read something about this

[gcnaddict]

I remember reading... I can't remember if it was a post about an algorithm already written or a proposal for an algorithm which would run alongside a CAPTCHA through the entire registration process, but the basic premise was just that: measure the entropy and fluidity of human movement and determine whether or not the user is a bot based on whether or not the user fits typical random human usage patterns.

I also remember the writer of the post noting that this kind of system would basically stretch the human-unwittingly-answers-CAPTCHA out such that humans would have to do the entire setup process manually instead of just the CAPTCHA, thus defeating the point of automated setup.

Does anyone have this article? I can remember reading it but I can't find it.

Re:I read something about this

[caramelcarrot]

Last time this came up, I suggested the idea of constant bayesian analysis on HTTP logs to determine the likelyhood of the current user being a bot.

It could take things into account like if the user bothered to visit previous pages, request images, the time between requests etc. You could then either just make the webserver kill the connection, or you could add a function to your preferred web language (e.g. PHP) that returned the probability that the current user is a bot, and so redirect them to a more annoying turing test or block them.

This'd also work pretty effectively if people wanted to stop scrapers and bots in browser games. Of course a bot could mimic all this, but it'd raise the cost of entry significantly - and it might end up being that the bot is no more effective than a human working 24/7, though even then you'd need to be changing ips constantly.

I was thinking of trying to implement this over the summer, based on comment spam bots on my website, all without any need for client-side spying

Re:What does it mean to be human?

[Devout_IPUite]

I might recommend http://en.wikipedia.org/wiki/Homosapien for further reading on this topic. Clearly, you are not a human no matter how smart you are if you're a computer. Are you a person? Well, depends how you define 'person'.

Re:Just a Thought...

[Joce640k]

I disagree. I don't think there's anything terribly un-mimicable about the way humans interact with web pages.

Besides, have you considered the effect of false positives (which will be many)?

With a captcha it's a black/white decision and people know why they passed/failed.

In the world being proposed in the article people will have to sit dejectedly wiggling their mouse while a web page decides if they're human or not based on some unknown criteria. Pass or fail? It's up to the machine.

After two or three sessions of this people will be running away screaming from your web pages.

Not a great idea

[jgoemat]

The article did have links to some interesting topics, such as google experimenting with image orientation as a test. The premise of using how a user interacts with a page is deeply flawed though. There's not even a need for an algorithm or program to 'figure out' the captcha, just record how an actual user interacts once and you can send the same exact thing every time to pass the test. The reason this works is because the 'question' doesn't change. This would be like showing the same text captcha every time. If they ignore identical values being sent, the values can just be fudged a bit.

Use Turbo Tax Lately

[SunSpot505]

When I posted question to the Turbo Tax community forum it asked a simple question as a CAPTCHA. Seems like an easy enough solution, and it changes each time to foil a persistent brute force attack.

Of course I'm sure it's only a matter of time before someone has an algorithm smart enought to answer questions. And I suppose that a botnet with enought time would work too. Still an interesting approah I thought.

Re:Just a Thought...

[cskrat]

The anonymous poster that you're responding to was actually the one to introduce the word "quickly" to the discussion.

That being said, I think the method proposed at the end of the article is flawed in that the algorithm is reversible and facing the wrong direction.

Assuming that the website in question only has access to the message information passed to the GUI window of the browser by the OS, (I'm sure as hell never installing a browser with ring 0 access to my system) it would be fairly trivial to produce an AI algorithm to replicate that behavior. A few hard coded target parameters and a bit of randomization would sufficiently emulate a human based on gathered metrics of a small sample, possibly as small as just one, human subjects. And don't forget that spammers don't need anywhere near a %100 success rate to be viable.

The checking process, on the other hand, would require a very large, heterogeneous sample of human subjects to determine the limits, distribution, and correlations of tested metrics. A team of statisticians and psychologists would be required to analyze the data so that it can be converted into a working algorithm by software engineers. That's an enormous amount of man hours just to produce the system. Assuming, however, that the system is produced in spite of it's high development cost, it would still be computationally expensive to analyze each potential human to see if it's generating a valid combination of metrics.

Think of it this way, It's trivial for me to write a PHP script to quickly generate valid XML markup to send to a remote system. Parsing a string of potential XML on the other side, however, is more computationally intensive and the algorithms to do it are more complex, especially if you consider the complexity of any prebuilt parsing tools, such as regular expression tools, as being part of the overall algorithm complexity. While, granted, a parser can be reasonably expected to run in linear time, the script to produce XML can be reduced to constant time if optimized for a specific purpose.

Re:What does it mean to be human?

[mcrbids]

Yes but machines can't sue for damages. If you crash your car, no matter how 'smart' it is, it won't take you to court for driving drunk.

But what if the car had an intelligence directly derived from a real person, like the logical progression of an amputee to a full machine above?

That's the point of this discussion. If you develop software that so closely emulates the human mind that it (and anybody else talking to it) can't tell the difference, is it human? If the software is a direct descendant of a 'natural born' human, is it human? Can it sue? Can it get married?

(kinda makes the whole gay marriage thing pale, huh?)