Slashdot Mirror
Campaign To Kill CAPTCHA Kicks Off
Bismillah writes "CAPTCHA may be popular with webmasters and others running different sites, but it's a source of annoyance to blind and partially sighted people — and dyslexic people and older ones — who often end up being locked out of important websites as they can't read wonky, obfuscated letters any more than spambots can. A campaign in Australia has started to rid sites of CAPTCHA to improve accessibility for everyone."
Makes it useful.
No replacement is mentioned in the article, just the drawbacks of the existing scheme.
from automated submissions?
If the campaign was taken over by bots?
"W3C has suggested other techniques such as logic puzzles, limited-use accounts and non-interactive checks to prevent abuse such as fraudulent account creation and spamming."
Its going to be far harder to make an AI that can create a decent logic puzzle as well as make it accessible and hard for computers to solve than it it to make an image and warp it a bit. I think any such puzzle will probably be worse than the audio captcha button.
Yes it is stupid. I understand that spam is a problem, but if you run a website, it's *YOUR* problem. CAPTCHAs make it *MY* problem and that's just stupid.
there isnt a single thing that everyone will like or approve of.
let's say you change it do you have to answer a simple addition math problem. what you get is someone crying, "i have to answer 5+8?! but i dunno maths you insensitive clod!"
you know that person really exists.
Anons need not reply. Questions end with a question mark.
Yeah, yeah, and after they have this and the spambots trivially come back, they'll start bitching that their screen readers can't properly translate "the cheif fuicks le sabretary havemake for the dealintroductionary xxxxanaxxxxxfree". *sigh*
OCR has advanced to the point it is now possible to beat it 99.99% of the time no matter how difficult to decipher -- which has a side effect of making even real humans have trouble reading the CAPTCHA. Not willing to shell out for quality OCR? No problem, Amazon's Mechanical Turk provides you all the tools you need to get people to read the CAPTCHAs for you and the spam goes on. Don't feel like spending any money at all? No big deal, many CAPTCHA services are easily bypassed. (Let's not get into the ethics of certain companies using CAPTCHA solutions for third-party websites as unpaid labor.)
This was an early-00s temporary solution to a permanent problem better solved via other means.
A campaign in Australia has started to rid sites of CAPTCHA to improve accessibility for everyone.
Sure, but have they come up with or even recommended an alternative? No?
Well fuck 'em, then - I for one am pretty damn fed up with all these people and organizations who do nothing but bitch about how Item X is 'unfair' to them, AND expect someone else to come up with the solution for them.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Not sure is this is already super well known, but only 1 word is actually used for verification. In this example you could type "thrand " and pass it. The verification word always looks similar in font/size to 'thrand'. Oh, and the other word I believe is a scan from a book and if you *do* type it in, it will help the digital scan of the book actually pin point what word it is.
You were critically hit for no damage. The bruise will look nice, and maybe the scars will make good party talk.
there are already several types of captcha nowadays that are newer and much easier to use. one of the ones ive seen is one with a company logo and you have to type out the company name. another is one where you have to makea pizza with specific toppings. another one is where you have to draw an image. captchas are necessary... the problem is that they have become too ridiculously difficult instead of making it easy to use for normal ppl.
But, having the forum overrun with spam and Frosty Piss is far more annoying!
A stoned person types his password into a CAPTCHA field.
"Wrong? Ah man, I know that's my password."
CAPTCHA will be around as long as it is the best way to stop programatic submissions.
CAPTCH sucks for sighted people as well, not just the visually impaired.
As long as we have need for tools to discern software from people, something like CAPTCHA will exist. And so far we haven't developed anything that only humans can do, but computers can't.
I'm out of my mind right now, but feel free to leave a message.....
Another "service" Goggle capitalizes on, for free.
It makes me want to cry when I think of how many catchas I've typed...
If taking a couple seconds to answer a CAPTCHA is too much effort, I probably don't really care what you have to say in the comment section.
I understand that spam is a problem, but if you run a website, it's *YOUR* problem. CAPTCHAs make it *MY* problem and that's just stupid.
If the website you use is overrun by spam to the point of being unusable, then it's your problem as well.
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
As someone that runs a website, without CAPTCHAs I'd be fucked.
There are bots that can automatically register on a site, then check the email account for the activation link, in order to start spamming, so that's not a solution.
The newer 'flash games' e.g. 'out of 5 objects, put the drinks in the cooler' are an interesting solution, but that probably still won't work for people with accessibility issues.
Moderation can work on sites like slashdot, but on lower traffic sites not so much, and the signal to noise ratio will be awful.
If Australia pass this and actually clamp down on 'offenders' it will do more harm than good as the only recourse webmasters will have is to not allow people to register/interact with the site as the cost of cleaning up spam will be too high.
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
Offloading some of the responsibility to you as a human co-processor is an effective tactic called Share The Pain. It's not stupid, it's genius. You just don't favor the end result. You can always vote with your mouse and go to another website.
"Love heals scars love left." -- Henry Rollins
I don't care about you or your problem.
And most site owners don't either.
Passwords, with no two sites accepting the same format. CAPTCHAs, which often as not even normally sighted people can't read without difficulty. Security questions which are either inane or represent their own special security risk.
God almighty, can't we come up with something to replace all of these?
Three Squirrels
Mission Accomplished.
Annoyance to older people who were used to buying their overseas Viagra from forum spambots.
Captcha fulfills a need - it is, as the name implies, a test to completely automatically tell computers and humans apart. It's necessary to keep spambots from registering accounts and spamming the hell out of us. Granted, the "type this wobbly word" may not be the most practical (nor safe) solution. It's easy enough to come up with alternatives- Perhaps show four photographs and ask the user to click on the one that doesn't belong (maybe the kitten out of a picture of 4 cats). Coming up with good ideas? Much harder. Complain about it all you like. Come back if you have a better alternative.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
Apparently blind people are unaware of all the spam postings clogging porno web sites without it.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
If taking a couple seconds to answer a CAPTCHA is too much effort, I probably don't really care what you have to say in the comment section.
Or a couple of minutes considering most capchas are illegible.
I'm a good cook. I'm a fantastic eater. - Steven Brust
Tell that to my 46-y.o. eyes that can barely decipher these increasingly difficult eye puzzles, and I have a computer engineering degree. Think about others, will you?
Steve Magruder, Metro Foodist
This kind of thing shouldn't be hard at all. You don't need complicated logic puzzles or any such thing. You just need something that's hard for a computer to figure out, but easy for a human.
For instance, render a 3D scene and ask a question about perspective. "What is the person holding in her right hand?" "What is the person looking at?" and similar such questions. Trivial to render. Hard to figure out, because it's far beyond simple image recognition: you have to see and interpret what's going on in the scene. It doesn't have to be confusing or hard at all. (And rendering is super cheap these days.)
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
there are a few websites I want to access but cannot because their CAPTCHA is unreadable. Some of them are just way too complicated to read. I use it on my own blog but it is simple enough so you can get it the first time. It would be nice if there was some other way to prevent bots.
If you want to buy tickets like the guy in the story, it is your problem when they are all sold out in seconds to scalpers using scripts. So, what's your solution, lone smart man, if everyone else is so stupid?
... the Feedback page for TFA blog has a CAPTCHA.
It must have been something you assimilated. . . .
It is possible to train an algorithm to recognize CAPTCHA, even if the success rate isn't 100%, it is high enough to enable bots to register on websites with CAPTCHA. So, Australia is only pushing people to find out better solutions than CAPTCHA. In short term, a large amount of spammers will rely on optical recognition algorithms to decipher CAPTCHA anyway.
Achille Talon
Hop!
Go ahead, create a better solution and we will be waiting.
It must be capable of being hit many thousands of times per second, so it can't be heavy on resources.
It must be capable of being displayed in any browser from the past 5 years at least, 10 preferable.
It must absolutely not be plugin based.
It must have absolutely no sound unless requested.
I had an idea myself of having fuzzy cats and dog pictures, stretched, skewed. noise added and rotated, all up to a maximum value before it becomes too noisy.
Grayscale, color would be applied to them. Option of even having virtually weird colors that aren't natural.
The hugely identifying features of the face would be blocked out, cats and dogs are still pretty identifiable by body, regardless of face being visible or not, but it may still be stupidly hard for computers to figure that out without huge resource requirements.
That slapped on top of a fuzzy background.
Each image is pregenned in batches of however many the server operator can be bothered to generate, or just semi-realtime.
They are not generated on the client end, ever.
Count the dogs or cats.
Problem is this fails the resource part in that they are particularly heavy to generate as well as transmit. (even as a JPG)
To be of any use, they would also need to be fairly wide, tall or generally just fat.
It could work and anyone is free to steal the idea. If you could get it to work and work well without too much in terms of resource usage, I applaud you and wish you much success. It is not something I care enough to implement myself, unless I were to go ahead with making that website, but that is unlikely at present.
Who knows, I could be using the idea I gave you for my own site one day. Think of all that fame you would get, "The person that killed CAPTCHA".
Of course, image recognition is getting considerably better as each year passes.
There are systems that use huge numbers of image caches and machine learning to figure out captchas.
These are typically only reserved for people that can afford to pay for it.
But power increases constantly. And those cards designed for bitcoin mining are very useful for such a task of cracking and comparison in general.
It could be cracked very easily if it is far enough ahead.
And before anyone mentions it, Rapidshare isn't the inspiration for this, I had this idea before I even knew of Rapidshares existence.
Equally, Rapidshares attempt at it was absolutely terrible and abusively bad, half of those pictures were impossible to tell even for humans! (which is for obvious reasons to get more money, which will happen rarely and it just pisses off the people who wanted a file)
There are plenty of other technical measures available these days. Captchas are unnecessary.
Steve Magruder, Metro Foodist
solvemedia and other advertising scum let webmasters make money off of annoying their users
why would they give that up?
Not if you employed other technical measures. Search around a bit and you'll find captchas are unnecessary.
Steve Magruder, Metro Foodist
The campaign support page already has 17 billion supporters!
You keep posting this, yet you can't name one.
Get rid of them and replace with simple maths question:
http://farm3.static.flickr.com/2174/2268237733_cda4a1dbb3.jpg?v=0
If taking a couple seconds to answer a CAPTCHA is too much effort, I probably don't really care what you have to say in the comment section.
It's not longer just a couple of seconds when one has to hit the reload button a dozen or so times before they get a CAPTCHA that's remotely readable.
Yes it is stupid. I understand that spam is a problem, but if you run a website, it's *YOUR* problem. CAPTCHAs make it *MY* problem and that's just stupid.
You assume the website needs you more than you need it. For the standard commercial "wall of ads with some random content between" site, sure, what you say holds true
For a lot of smaller interest-group-themed sites, usually run by a handful of non-IT-gurus, put bluntly you need them more than they need you, and they don't have a full-time body around to read through all new posts to purge the spam.
Now, personally, I prefer the "math word problem" style CAPTCHAs - Because not only do they not discriminate against the blind or the old, they effectively keep out the spam and the stupid. Win-win!
We have AI units that are equivalent to 4 year old kids. How much longer until they can defeat standard CAPTCHA systems?
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
CAPTCHA may be popular with with webmasters and others running different sites, but it's a source of annoyance to blind and partially sighted people — and dyslexic people and older ones — who often end up being locked out of important websites as they can't read wonky, obfuscated letters
CAPTCHAs tend to have an audio button where a string of numbers is read off to you.
Even Slashdot has a "mp3" button that reads the letters on the CAPTCHA off to you.
Doesn't that already help all the above people with issues listed here?
(Except possibly the "older ones", who may have hearing issues too.)
What do I know, I'm just an idiot, right?
Care to elaborate?
Bots can read most captchas being used.
I was about to tell you to take advantage of the audio alternative offered by many services, then I went and tried a reCAPTCHA audio test to make sure I knew what I was talking about.
I apologise for even considering telling you to use those.
If taking a couple seconds to answer a CAPTCHA is too much effort, I probably don't really care what you have to say in the comment section.
Or a couple of minutes considering most capchas are illegible.
This!
More and more, captchas take two or three attempts.
(Disclaimer: IMHO, I'm not senile, dyslexic, a horrible typist. blind. Your opinion may vary).
I suspect some sites are intentionally forcing a fail once or twice, at least occasionally, especially when you enter the word
in a timely interval. Bots probably give up after two failures, and they probably answer quickly.
So implementers make it more and more restrictive and throw in bogus failures.
Sig Battery depleted. Reverting to safe mode.
Because we all know computers are terrible at doing arithmetic and solving simple equations
i've been using minteye on my site. it's a visual captcha, works pretty well. you move a slider back and forth to unscramble an image.
I've become convinced that the purpose of captcha is to punish regular users. I strongly suspect that spambots merely push the re-captcha link until they get a pattern that's easier to parse.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I've been developing websites over 10 years and have never needed a captcha system.
This is how I always go about it:
1) Include a form input element labelled as something common, like a telephone number but on a registration form that would never actually require a telephone number. Hide the parent div using CSS in an external CSS file. When the form is submit, check to see if the element is filled out. If it is, simply display a message that you think their registration may be automated and to try again. If it continues, please contact us by other means (phone, email, etc) and we will help them through it.
2) Time the registration from the time the page is loaded to the time it is submit, if its less than 10 seconds, do the same as above, simply display a message saying you think their registration is automated and to try again, etc.
When used in conjunction I feel I've cut out 99.9999% of spam or false registrations. The timing method has to be done server side and stored in a session, and is fairly involved so not easy to do properly if you are new to web development. There is also the issue of someone hitting the back button to try again after a failed submission (if you don't use client-side validation), and them submitting from a cached page, but can be worked around if you know what you are doing.
Obviously its not bullet proof, and if the CSS file doesn't load then someone would see the extra form element. But its a small price to pay for effective protection.
Anyone else have other methods they use?
I had to post this as an anoymous coward, because i have to state an unpleasant truth that every single web site operator out there who isn't disabled will agree with 1000%, but can't publicly admit unless they wanna get flayed alive by the disabled lobby.
Get rid of captcha, not on YOUR life. I have a forum with 30 active volunteer moderators and without captcha they would spend every waking moment of every day removing bot posts non-stop. If we make a captcha that is just as easy to read with a screen reader or braille display as a sighted person, a computer can read them as well, defeating the purpose and making the whole system useless. Sorry it is not gonna happen. YOU have a disability that limits you, so get used to it. The basic fact is YOU can't penalize everyone else in the world because of that fact.
http://en.wikipedia.org/wiki/2081_(film)
LOL I have to submit a Captcha code to post this to Slashdot, I love the irony!
It is possible to train an algorithm to recognize CAPTCHA, even if the success rate isn't 100%, it is high enough to enable bots to register on websites with CAPTCHA. So, Australia is only pushing people to find out better solutions than CAPTCHA. In short term, a large amount of spammers will rely on optical recognition algorithms to decipher CAPTCHA anyway.
True, but I think the OPs point is those smart bots are not that frequently encountered. We know it can be beat, but in everyday life it is still not common to encounter such bots, and even when you do, you end up blocking 98% of the bots.
As those bots become more common, captcha will become less and less useful. Its a self solving problem that probably doesn't need any help from government, because government will invariably impose something more stupid and useless.
Sig Battery depleted. Reverting to safe mode.
If you want to buy tickets like the guy in the story, it is your problem when they are all sold out in seconds to scalpers using scripts. So, what's your solution, lone smart man, if everyone else is so stupid?
auction the tickets, then the venue owner will get the market price
sell cheap "standby" tickets at the door, if the original ticket holders don't show up in time then then their tickets are voided and the standby crowd gets to go in
One time registration is one thing -- I can just punch the re-captcha until I get something I can read. (But if I can do that, couldn't a bot do it too?)
It's the sites that require captcha for each login that really chaps my ass. Yeah, I'd vote for it to go away.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Not if you employed other technical measures. Search around a bit and you'll find captchas are unnecessary.
In all sincerity, can you post some links? I'll even take an insulting "lmgtfy" that end up with some good results.
I hate captchas, but all the other methods I have seen and tried (hidden form elements, javascript checks, etc.) all break down in one place or another.
I'd be curious about what "technical measures" you are talking about. There are some "universal IDs" that help to filter out some of the spam, but it still can slip through in a way that Captchas help prevent. There is also something philosophically wrong with trusting in some huge 3rd party vendor like Facebook, Microsoft, or Google to be processing authentication on your website, not to mention concerns about the NSA tracking everybody who is logging into your website as well.
Again, I'd be curious about what technical measures you are talking about.
Maybe they're a spambot and consider their not being able to use captchas a disability.
There is a simple solution to all this;
Use CAPTCHA's that have the audio button that speaks the CAPTCHA instead of looking at it.
Sight issues? Solved
Hearing Issues? Use the visual CAPTCHA
sight and hearing issues? If you cant see or hear then a computer is not for you. Stop trying to use a computer, you have much bigger issues to deal with.
Intelligence/mental issues ( e.g. cant add 8+5)?: operator failure, operator is too dumb to use a computer, replace operator.
This solves problems for 99.999% of people. It is not worth it to piss off 99.999% of people to make the 0.001% of people pass through a CAPTCHA.
I'm not a fan of CAPTCHAs, but your statement makes no more sense that declaring passwords bad because it is the websites problem, not yours.
Looking forward to not needing to look for the "Long S" character on my keyboard anymore http://blog.ambor.com/2013/07/an-unexpected-risk-of-using-re-captcha.html - I'm always worried that my employer is filtering on words like goatfucker when I mean to write goat(Long-S)ucker.
The easy thing for you to do would be to simply detect if the user is in Australia, and simply ban them from your website.
If this law passes, and most websites just refuse to serve Australians, then the fault, blame, whinging and recriminations can lie solely with the law and the people who created/passed said law.
More bitching. Got a better idea to prevent bots from signing up?
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
i've been using minteye on my site. it's a visual captcha, works pretty well. you move a slider back and forth to unscramble an image.
I never heard of it, and upon googling it, their own website wouldn't couldn't get pass my no-script. So right there, a significant and growing number of customers would be turned away.
But, I wonder of that would remain effective, after all, bots already exist to recognize letters in images. (Those bots existed before captcha). So as soon as Minteye becomes popular it will be bot-stormed.
I've also seen the word games, these are fairly unique as well. But I'm not sure they couldn't be attacked as soon as they become popular. It almost seems that obscurity is the best we have these days.
Sig Battery depleted. Reverting to safe mode.
Twilio. Facebook Connect. Twitter @Anywhere. OAuth. OpenID.
I wasn't posting that, but it is kinda obvious what some better ideas are.
B) Eliminate all the stupid users. This is frowned upon by society.
The "which of these pictures is a kitty" or the question "what is 1+1=?" are superior. The distorted text is irritating.
And as to the deaf... most CAPTCHA's will offer a "press to speak" feature.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
You know you live in a magical world when people are suggesting changing things in a way that would negatively affect the majority just to make cripples and broken people happy. First they abolished slavery, then they let them live in and run Detroit, and now they want to get rid of CAPTCHAs. What's next?
Are we getting to start letting people stay in the US Military when they are physically and/or mentally incapable of performing their jobs?
The solution is not to make it harder for spammers to post. The solution is to murder spammers after they post.
If taking a couple seconds to answer a CAPTCHA is too much effort, I probably don't really care what you have to say in the comment section.
It's not longer just a couple of seconds when one has to hit the reload button a dozen or so times before they get a CAPTCHA that's remotely readable.
And half the sites bit-bucket at least some of the data you've entered just as further punishment. So you have to type that in again.
Show me the captcha before I enter any data please. That alone would confuse half the bots out there. (For a while).
Sig Battery depleted. Reverting to safe mode.
Simply require an email address and maintain a blacklist of bad domains.
Mozilla Persona http://www.persona.org/ is the new best one -- not tied to any corp, but without the usability problems of openid
People seem to forget that the term "CAPTCHA" (Completely Automated Public Turing test to tell Computers and Humans Apart) applies to a much broader set of tests than just those obfuscated text-based things that most of us loathe. Banning CAPTCHAs is a silly notion that would adversely affect every site currently using them, as they become swarmed by spammers. Instead of banning them, they should be asking people to use sane, simple CAPTCHAs.
For instance, on a forum I run for a group in a game, I use a form of CAPTCHA that has people drag words into categories. As an example, if our group name was "Guild X of Y", I might make the categories "Words in our group's name" and "Words not in our group's name", then ask them to categorize the words "Guild", "Elephants", "X", "Tree", "Honor", "Plus", and "Ocean". I have about two dozen sets of categories and words configured, and so far it's had a 100% success rate at stopping spammers from registering. It's also made it easier for people to register, since the number of e-mails and other off-forum messages I've received complaining about the difficulty of the CAPTCHA has dropped to 0 while registrations have actually picked up.
Such a system would obviously not work for Google or someone that large, since a spammer would just train the bot to know all of the answers, but for smaller sites, there are plenty of solutions that work just fine, and I'm sure we can find more systems that are simple for a human but complicated for a computer. No need to make something that's so complicated for a human to solve.
Alternatively, go with xkcd's approach to solving the problem of spam.
It's good that there are many different posting/comment systems like phpbb, vbulletin, even Slashdot. The more the merrier, which means the spammer needs to identify each and every one. If there is enough of them it's not worth it. Unfortunately people would opt for off-the-shelf solutions and this popularity/unity makes it more appealing for spammers: implement once, hack many. But a special case is if one site is big enough to take over thousands of small sites, really, this site needs a thousand different captchas in order to be as effective as a thousand small sites with their own captcha.
And for all those suggesting math problems and such like that, you must not have a large userbase. If the userbase was large enough or enough forums use the exact same "captcha" you can count on spammers writing their automated scripts to handle math. I suspect if you were to require people to solve complex math, such as infinite series or complex integrals that possibly could not be interpreted properly by the program that could be figured out by a human, but I suspect a lot of real people will have difficulty to figure them out.
I do like this possible solution that even Slashdot has used for anonymous coward: payload first, captcha later. It's a psychology problem: you already wrote what you want to write, just a little more and it gets posted. Coupled with it being unique helps a long way towards the spam problem. But this doesn't help against automated registration...
Incidentally, the captcha I got for posting this was "ovaries" but I initially misread it as "varies" completely missing the o. #*(@# captcha... :(
The NSA and its friends already track who logs into your website (or at least the IPs that do) so I wouldn't worry about that one too much.
One technical measure that has been floated recently is the idea of using Bitcoin. What you do is provably sacrifice some bitcoins to miner fees, thus creating a kind of anonymous passport. That proof of sacrifice has public keys embedded in it to which you own the private keys, and it was provably expensive to create. So the idea is that you sign up with your passport and then if you misbehave, it can get added to a blacklist kind of like how Spamhaus blacklists IP addresses. Now you can set the cost of abuse to a precise degree. Good users only have to pay once and can use the same passport for years. Abusers find their business models are unprofitable.
Unfortunately the software and protocols for that aren't implemented yet.
Text-oriented CAPTCHA schemes are obsolete, especially as a way to get humans to help with book OCR jobs. If the OCR program can't read it with context, humans probably can't read it out of context. A sizable fraction of book-scan CAPTCHA images aren't even text, let alone words. I've seen ink blots, mathematical formulas, and Cyrillic in what were supposed to be English-language CAPTCHAs.
Not if you employed other technical measures. Search around a bit and you'll find captchas are unnecessary.
You keep saying this, and you continue to not provide any citations. Just because you say it is so does not make it so.
I run a web forum that is attacked every single minute of every single day by spambots from China, Russia, India, and Pakistan. Captchas are one of several technical countermeasures I use to keep from being overrun with spam -- and by overrun, I mean really, seriously overrun. Forum spam is incredibly prolific.
Each of the technical countermeasures stops some of the spam. Dropping captchas from the mix would allow far too much spam to get through. And yes, I've closely examined the contribution of each countermeasure.
People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
Twilio. Facebook Connect. Twitter @Anywhere. OAuth. OpenID. I wasn't posting that, but it is kinda obvious what some better ideas are.
So on a business site, you would require a user to log in with an account from another site/system before they could contact you to show interest, request a quote, etc.?
I understand for web forums, etc, but my issue is contact forms on business sites. Most users don't want to share their facebook or twitter accounts and haven't heard of most of the other options.
I did see another post about combining the hidden form element technique with a short submission timer that looked interesting though.
They have precisely zero security value. Please see, for a brief introduction:
http://phys.org/news/2011-11-stanford-outsmart-captcha-codes.html
http://cintruder.sourceforge.net/
http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/
http://arstechnica.com/security/2008/04/gone-in-60-seconds-spambot-cracks-livehotmail-captcha/
http://www.troyhunt.com/2012/01/breaking-captcha-with-automated-humans.html
among others.
Nobody who actually understands the nature of the threat would even CONSIDER using captchas at this point.
Now...every now and then some poor naive fool stands up and says "But but but...they're working for us." No. They are not. You are simply not worthy of attack...yet. If you ever become a target, because someone has a grudge against you, or because you have an important resource, or merely because someone is bored, then if they are are at least minimally competent attackers, they will go right through your alleged "captcha" defenses without the slightest problem.
If what presents itself as only the most barely notable disability in day to day life excludes me from your consideration as thoughtful well spoken adult due to a single special circumstance, I don't care too much about your comments either.
CAPTCHA has a *point*. It is to keep bots out. Which, with good CAPTCHA, works very reliably, and more importantly is the ONLY thing that actually decides based on the *correct* measuring point. As opposed to IP address blocks, pattern matching, and other cases of shitty engineering with *way* too high false-positive and false-negative rates.
If you want to post, deal with it and enter the CAPTCHA. Otherwise you can just... you know... no post. That nicely keeps out the dumbfucks too.
Minteye was very thoroughly broken.
http://translate.google.com/translate?sl=ru&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&eotf=1&u=http%3A%2F%2Fhabrahabr.ru%2Fpost%2F167359%2F&act=url
Essentially, the guy realized that jpeg pictures with distortions should have a completely different size than the undistorted picture. But all pictures delivered by minteye were of identical length. He figured they were padding the files with zeros, and he was right. By counting the number of zeros at the end of the file, the local maxima/minima was the correct file. He wrote a few lines of javascript, and it was broke.
John
Those don't replace captchas. They are alternative login methods that don't prove someone is human, only that they have an account to be used for this purpose somewhere else.
How many blind people are there who use the Internet without assistance?
I know blind people, and people who have very poor eyesight. Most of them are older. When I talk to them about computers, they're not interested. One woman with macular degeneration tried a screen reader, and didn't like it. (That's $10,000 worth of equipment sitting in her closet.)
Back in the days of COBOL, there were a lot of training programs to teach programming to blind people. And there were a lot of successful blind programmers. There were braille printers. Then came Windows, and it got a lot harder for them to read the screens....
There are laws that require organizations that serve the public to provide reasonable accommodations to the handicapped. I support those laws. A lot of people have problems with hearing or vision. A lot of people can't climb stairs.
The question is, "What's reasonable"? If this were a widespread problem, and a million blind people can't read CAPTCHAs well enough to use Skype, that's a big problem and we might have to throw out CAPTCHAs. If it's just a dozen blind techies, maybe we could work out some simpler solution.
It's a cost/benefit question. What's the scope of the problem?
My biggest problem with CAPTCHAs is that about 1/2 of the time they're ambiguous.
For example, running the letters together is a common technique, but that makes it impossible to tell the difference between the letter "m" and the letters "rn" together.
They're also twisting letters so badly now that they convert to other letters. For example, it doesn't take much to twist the letter "u" to "v", or to destroy the identifying features of the thin letters ("f", "i", "j", "l", "r", and "t").
I've had cases where I needed to request a new CAPTCHA 4 or 5 times to get one that's not ambiguous. The technology is badly broken now. There's no reason they can't fix these problems, but they deliberately choose not to. A simple fix would be to screen out things like "rn" if they're running the letters together -- but after all these years, it's now clear that they're unwilling to do even these simple fixes to improve the user's experience.
Because we all know computers are terrible at doing arithmetic and solving simple equations
But they are. It's out of context, and it's much harder to make programs that are flexible like that. They're bringing a regular expression to an arithmetic party.
"Little does he know, but there is no 'I' in 'Idiot'!"
So you push the bot detection problem onto a third party. But when they are overrun, the smarter bot operators won't spam the identification sites. So these service providers will never have good statistics on which measures work and which don't.
Have gnu, will travel.
I have a solution. It's called paid services. Services where users have to log in and pay a subscription are much less susceptible to bots than free services. No CAPTCHA for users, less spam for hosts.
Yet somehow I feel most of the slashdot crowd (and internet crowd in general) doesn't sympathize enough with service providers to consider this an acceptable alternative.
These comments are mine; I do not speak for my employer.
Or a couple of minutes considering most capchas are illegible.
Hear hear! Captchas were fine when they started but lately they do this weird wavy thing. I have to hit reload a few times before I get one where I can make out all the letters... and my vision is just fine.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Facebook Connect is not a "better" idea.
You can hold down the "B" button for continuous firing.
Agreed, my systems (combined) are hit every 3 seconds by spammers and hackers.
While people may hate Captcha, webmasters do as well, until we have something that works at least as good, it stays, along with my other levels of fighting spam. It's imperfect, troublesome, and a hassle at times, but it's still one of the more effective anti-spam systems out.
And no, I will not let you login from Twitter or Facebook or any other junk, that opens up a whole new host of issues.
Looks like it's a flash-based captcha that applies a simple transformation to an advertisement. So, it forces your users to stare at your ads. It's got a huge flaw -- a human might need to decode each ad once to train a bot to decode every instance of that ad. Minteye will work until the point that it gets even a little popular. It would take a competent programmer with experience in image processing an afternoon to break this.
Bad guys run some pretty high traffic sites that oddly enough, require captchas. Their client bots forward the real site captcha to the bad-guy site, which delivers it to a human who wants access to the bad-guy site and answers it - which answer is passed back to the bot and submitted to the legitimate site in real time. They also compromise legitimate captcha-secured sites for the same method. It's the Mechanical Turk method of defeating CAPTCHA. Machine learning of text recognition is not required.
Help stamp out iliturcy.
Facebook Connect. Twitter @Anywhere.
Just no.
Filthy, filthy copyrapists!
Agreed. I've found asking a question like "What is five plus seventeen?" is much more effective at keeping spambots out than any standard CAPTCHA.
One of the Five Eyes Alliance. No doubt, the 'best' replacement for CAPTCHAs will be a centralized authentication/login authority. Or at least a few large outfits that can be arm twisted into linking everyone's accounts together. Like Google, Microsoft, OpenID, etc. Its just a variation of 'think of the children'. Think of the blind.
No thanks. I'll keep my on-line personas separate.
Have gnu, will travel.
I recently started getting hundreds of spam signups a day on my site. So I installed a CAPTCHA to prevent that. I setup a standard image CAPTCHA with a plugin for the CMS. More then 80% of the spam sign ups just walked right through it. Then I changed the type of CAPTCHA to an ASCII art CAPTCHA. I haven't had a spam sign up since. The ASCII art CAPTCHA is also much easier to read then weird image CAPTCHAs.
Instead of a CAPTCHA, show them two posts and indicate if none of them, one of them, or both of them are spam posts. Behind the scenes, one if a post you know for sure is good or not and one you don't know about.
You can use the responses to rate users (how effective is this user at rating posts, based on how well they do identifying spam?) and posts (how likely is this post to be spam based on what users say about it?). Bad users and bad posts get booted from the system.
... but only because you asked for it: captchas are unnecessary.
I bow to you, because to my simple brain many captcha's these days are a PITA. Enough of a PITA that I'll say fuck-it half the time and a website just lost a potential subscriber/user.
I can't say I like the idea of having to buy into something I don't trust to get the privelege of using certain websites.
The current generation of CAPTCHAs aren't designed to take advantages of the real strengths of the human perception system.
For example, humans are excellent in detecting the patterns in disconnected shapes, and in mentally connecting incomplete lines. Notice that the IBM logo is constructed from 40 completely disconnected lines -- but it's easy to perceive them as letters.
There's a lot of low-hanging fruit here, and the CAPTCHA designers aren't exploiting it. Instead, they just keep flogging their tired old technique of distorting letters and running them together. This is a technology that has seen absolutely no innovation for years. As a result, I'm not surprised to see a new movement to kill it off.
Two shortcomings of those suggestions:
1 - they're more effort for most end-users than a CAPTCHA
2 - they do nothing whatsoever to address the problem at hand
Even now I'm not sure if letters need to be entered as shown ie: some letters are upper case, some lower case.
I'm leaning towards it doesn't matter.
These are only first impressions, but it looks ridiculously easy to solve automatically.
First of all the warp angle jumps significantly more before and after the "correct" image than between other images, so a fairly simple block tracking algorithm would have a very good chance of identifying the correct image:
[image]
You don't have to get exactly the right image - one or two either side and you're okay.
Secondly, the warped images are significantly less sharp than the correct image - in a purely mathematical sense, too, which means it'd be simple for a computer to identify the correct image (confirmed with high pass filters and histograms).
But it's actually a lot simpler than that, as plover has posted here.
What you've got there is CAPTCHA through obscurity, nothing more.
systemd is Roko's Basilisk.
Those are not effective solutions. At best, you'd be shifting the problem slightly, and those services present other problems.
Actually, my mistake; what you've got is a company selling adverts through your site that users are forced to look at.
systemd is Roko's Basilisk.
I moderate on a blog about autism. It uses captcha fairly heavily. Adding catpcha has done exactly NOTHING to reduce the 20 new users a day and the three or four who post spam.
It does go in waves. And from the language used, I've got to think it's Eastern European/Asian mainly. But boy is it prolific, and apparently captcha is worthless for stopping it.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Anyone using a widespread bulletin board software will know that despite hard Caiaphas, spammer accounts are registered like crazy.
I include a small set of questions and answers relative to the interests of those who would visit the board. E.g., for Slashdot:
Complete the following sentence:
[randomly select from sentences]
"TFA" is an acronym meaning "The _______ Article". (7 letters)
Another alias for "Anonymous Coward" is "________ Dweller". (8 letters)
--etc--
Prior to instituting this simple questionnaire there are usually hundreds of spammers a day. Afterwards? None.
This is actually trivial to solve, indeed I don't even use the session token as a seed for creating new mappings between the numeric question ID, and the answers. So, a diligent spammer could simply collect all the questions then add the responses to the bot... Only THEN would I escalate to the code I've already written that does the randomized mappings, after first swapping in a new set of questions / answers.
But why?! Why wouldn't I use the MORE secure way right away? Because I'm not a fool. It has to be worth their time to enter an authentication war with me. Let them waste time writing a bot solver first, then immediately have their work become useless. In fact, this has already happened a few times. It's even rarer for spammers to then continue escalation -- they could just migrate to one of the other boards that is not so hostile, and upon which pre-made automated solvers still work. In fact, I have found good success Starting with only a single question. Replace the selection function:
sub random(){ return 4; } # Return truly random number, selected by fair dice roll.
Then I can simply revert to the randomized set of questions to escalate the spammer's coding and deployment cost. Thus, gaining yet another defense at little cost.
Any heterogeneous environment has what's called a "Single Point of Failure". This is why sex exists. Combinatorials are a simple way to get some randomness without all kinds of unexpected outcomes that rampant mutations in an asexual production would first attempt. Bacteria can use other methods because they've abstracted reproduction from defense: transformation, conjugation, etc. So, the uniform use of SSL, is stupid to put it mildly. It could have been like a bacteria, standardized and abstracted extensible protocol for defensive encryption... It's not though, it's a dumb for including a heterogeneous set of transforms dictated by AES standard. I mean, virtual machines exist; You're using one to decode font glyphs, and Unicode BIDI right now, but not for extensible encryption? How daft. Pervasive use of a brand of Captcha is equally retarding.
How foolish you humans are to not even learn the most basic of Life's Lessons. Diversity is a defense. When you use science to analyze natural selection's method of Trial and Error, Observation of results and Preservation of favorable outcomes... I bet you don't even make the correlation that Nature invented Science billions of years before you rediscovered it... I bet you don't even realize that's a universal truth inherent to any self improving cybernetic system, from DNA life compilers to C compilers. Ugh. Humans: Can't live with 'em; Can't teach 'em to survive.
Adding rel="nofollow" to any links provided by your untrusted commenters is a good start. It's a promise that Google and other search engines won't do any indexing or page ranking based on the href in the same tag.
Spammers have a pretty common M.O. They sign up with an account and use their spam link as their "home page". They then pollute the blog. The obvious spam is repeated variations on the same topic, and looks like "brand name products, products brand name, brand products name, ..."
Lately, link spam is done with a flattering but generic message that looks like it came from a non-native speaker: "I thanking you for your keen insight, have you other similar articles online? I would like to know more how you come to know this." An unwary site operator will often mistake the flattery for a conversation, and allow the spammer to remain a user. (The flattery is script-generated, by the way.) Their "home page" is often a dummy "news portal", which is just replaying whatever feeds they can get. The trick is this news portal has lots of links to the sites the SEO is trying to push.
While rel="nofollow" will render their efforts to associate their spam with a legitimate blog completely wasted, there are two negatives. First, unless the spammer knows it's there, they're going to spam you anyway. Second, it takes away your contribution of "linkiness" for your legitimate users' links to Google's pagerank algorithm. You can fix this with extra work like "probationary" and "full" users, but then you're taking on the task of rating your readers, which may be Sisyphean on a site the size of Slashdot.
John
I still think for small topic-based blogs, a set of whitelisted words works the best. If a post doesn't contain any of the whitelisted words, it's spam.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Sometimes they are:
For instance, what's 9,223,372,036,854,775,807 + 1 ?
Trivial for you or me, but considering the above problem could be rewritten 0x7FFFFFFFFFFFFFFF + 0x1 and you might see why a computer would have problems getting it right.
Vastly superior methods for stopping spam have existed since well before captchas were invented. They still exist today. I've written about them at great length (elsewhere), as have others.
The problem is not that these methods don't exist, or aren't effective, or aren't well-understood; the problem is that people refuse to invest the effort to learn them. Captchas are a cheap, easy way out for those same people, and they take it because they're too lazy to bother actually (gasp!) LEARNING.
But you know what? Let's forget that I have more experience in this area than you could possibly guess. Don't take my word for it. Don't read the references I provided. Instead, why don't you consult the people who make it their business to defeat captchas: the spammers, the phishers, the malware distributors, the bad guys. Go read their mailing lists, their web sites, their message boards. I don't mean just one or two postings: I mean several thousand over several years, so that you can actually begin to get a sense of where they're at. You will find, if you actually do this modest bit of informal research, that they're way past all this. Captchas are merely a dot in their rear-view mirror, fading away into the distance.
I'm neither and they annoy the hell out of me; and those little "validation games" (dump the fish into the bucket, or whatever) are ridiculous time-wasters. I'm also a web developer, so there's that. CAPTCHAs are for lazy web developers to offload the task of anti-bot protection to the user.
Create some dynamic form elements that only display via Javascript DOM and are required by a backend script. Create a per-IP limitation on registrations per 10 minutes. Require a minimum time between form loading and form submission. Require a cookie to submit the form.
The point is: the more variety of anti-bot systems that exist, the less attractive a target there is for bot makers.
Charge $1 for a lifetime membership. (or whatever minimum amount on paypal results in you making more money than paypal)
Each time I swear it was an Aztec chant out of the Necronomicon to raise the evil dead. (And I'm only being partial sarcastic when I say that.)
Did you know 80 to 90% of the moderators on slashdot wouldn't recognize a troll even if one dragged them under a bridge.
There's an obvious measure: don't allow untrusted users to provide links at all, and sanitize their data (server side) to mangle any protocol headers from their text, like adding a space before any text matching ://, so the results become http :// , https ://, or mailto ://. No search engine will try to follow those. You are already santitizing your inputs to restrict users from posting bad stuff like javascript, right? This is just one more thing to check.
You could even get cute using javascript in the browser to flag the text in red if they try to type a URL so they might know in advance they will get nowhere.
Then, to reward the faithful, you can have a karma system that permits voted-up users to post valid links (like stackoverflow). Or you can have an admin manually grant them "good user standing". Either way, your spammer is either contributing real value to your site (which is great) or they've gone away (which is great.)
John
Because it's an unusual approach. If it were adopted en masse it would become the biggest target, and you'd see bots that were able to parse simple math problems from natural language and compute the answer. That isn't a thoroughly hard problem, and may even be amenable to hand-coding the set of cases for different wording the generating system is programmed to use.
don't you think they fixed it? it sounds trivial to fix.
/\37R07URF campaign. Most captchas nowaday even included a link for an audio CAPTCHA.
no, you can choose among three options: 1) they show ads, 2) you show your own photos (which could be ads for your producs, lolcats, or whatever, 3) they show generic photos, flowers in this case. so some of the criticisms on this thread are valid, but the adversing one isn't an issue.
So people who can't see are unable to click a button that plays the word so they can listen to it?
The same people who use screen readers...
What's wrong with putting aria tags on the button, so their screen reader tells them about it?
i said below - adverts are just one option. you can also show your own images (plugs for your own products, lolcats, whatever, or have them show generic images like flowers. i agree about potential for breaking - sounds like a cat and mouse game where they keep refining their photo algorithms.
i'm not surprised their site would fail, but the captcha itself doesn't fail when put on other sites.
Show me the captcha before I enter any data please. That alone would confuse half the bots out there. (For a while).
Show me a simple Calculus problem or Trigonometric identity to solve in regular text, instead of a single word all muced up. It would be easier to solve
This tehnique won't work for long: https://www.google.com/search?q=five+plus+seventeen
There are bots that can automatically register on a site, then check the email account for the activation link, in order to start spamming, so that's not a solution.
You e-mail them an encrypted PDF or encrypted Word .DOCX file. With an instruction to visit the link; when they visit the link, they are prompted to double check their phone number -- a call is placed using VoIP technology, and an agent speaks out the secret code required to open the PDF or MS Word file.
The DOC file when opened contains "Unique directions"; for example a link to click on
Then a phrase such as "Four score and seven years ago"
Instructions: Please type the digits of all spelled out numbers in the above and then subtract the square root of 16 from them. Type in twice the value calculated.
Remove every 2nd word from the above phrase, then make the next to last letter of each word capital and remove trailing vowels. Add a trailing punctuation mark and lowercase the first word.
I run a couple Wordpress sites for people and ran into massive spam problems. Askimet solved many of the comment spams, but not user registration. Eventually found a plug in that inserts random questions like What is the fourth word of the sentence." Or What colour is the sky? That has effectively blocked 99.9% of splog spam.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
The only alternative to this that I see is for a central ID system which independently verifies you are an actual person. Trouble is this has some rather severe implications for privacy, in addition to being a central point of failure.
In either case, spam isn't going away anytime soon now that spambots are operating out of the Tor network.
Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
But they are. It's out of context, and it's much harder to make programs that are flexible like that. They're bringing a regular expression to an arithmetic party.
It's not necessarily trivial, but it is definitely a lot easier than an image recognition or image CAPTCHA solving problem.
Regular expressions are great for parsing and normalizing.
s/seven/7/ s/minus/ - / ....
Make a server side script that rotates predefined tags and hiding methods. It would take extra work to create a bot that could cope, time to determine how your system works, and in the meantime you break their code over and over.
It does go in waves. And from the language used, I've got to think it's Eastern European/Asian mainly. But boy is it prolific, and apparently captcha is worthless for stopping it.
It's probably called: human help in solving the captchas. Captchas eliminate lots of spam --- the automated stuff, not the stuff that has human help behind it.
I wouldn't judge it 'worthless' until you've experimented with shutting the CAPTCHAs on and off many times at different randomly selected sampling intervals -- gathered the data, and found; no effect on the rate of spammers signing up.
If the site is designed for those of us who have been through semi-advanced maths and if the spambot had no ability to perform basic calculations sure.
Ultimately I agree that it would be easier for you or I to solve than trying to decipher the Sumerian cuneiform that most CAPTCHAs pass off as text...in practice, however, I think this would alienate about 90% of the target audience while making it easier for bots to decipher and bypass.
I support those laws.
Ditto. Hovever installing a ramp does not mean you are not allowed to have a staircase. I seriously doubt introducing a law that technically handicaps web site owners is the best way to help blind people access the web.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Show me the captcha before I enter any data please.
Yes! God yes! I've walked away from a few sites that expected me to re-enter a whack of data because the CAPTCHA borfed. Including some where I had intended to spend money.
It always seemed stunningly obvious that you carry over the form contents in situations like this.
Three Squirrels
That is what pisses me off the most about it. You have to struggle *after* you have already made some effort to enter information.
However, they know it very well too that if they show you the captcha *before* you enter any data, most people will just give up right away, because they haven't invested anything yet.
May Peace Prevail On Earth
Likewise. If it looks like it might be worth my time to get to the content of a site, I might make two, maybe even three attempts. More than that, and I'll abandon the site and add it to my hosts file never to be visited again.
An authentication tool that is easier for computers to solve than for humans isn't of much use. Especially when the user is being made to feel like he is being punished for visiting the webpage.
That's why just setting CAPTCHA to appear the 2nd time a form loads for the session/ip generally solves the problem. First time, let everything through. Second time and subsequent, put it in the way.
If this is such an issue for accessability, how much worse are Flash media, .jpeg'd text messages/media, and AJAX?
None of those technologies lend themselves to text reader applications nor to braille translation.
Nor have I ever seen a Captcha on an actual useful web site -- instead they use little things like manual verification of new accounts, especially things like IBM's developer web sites and my bank account. In fact both my bank account access and my government tax account access required snail mail verification codes for the initial log-in.
Methinks someone over-rates the importance of websites that rely on CAPTCHAs.
I do not fail; I succeed at finding out what does not work.
I like it. I hadn't done any quality research, but it is nice to see work done toward making a non-corporate and easier option.
B) Eliminate all the stupid users. This is frowned upon by society.
I prefer to use one or two accounts to having to create a new one for every site I go to, yes. I prefer to trust one or two well designed systems rather than every half-baked cowboy coder, yes. I think that most people don't care much what system they use and are more likely to trust twitter than john's-favorite-blog system. They're also more likely to remember a password to a couple of sites they regularly use than use a complex system to generate new ones for each of the dozen ones they otherwise.
Plus, with most of those options, I don't have to process a CAPTCHA each time.
B) Eliminate all the stupid users. This is frowned upon by society.
They move the authentication process to a few providers rather than hundreds. The few used are more likely to be secure and less likely to need complex authentication each time.
B) Eliminate all the stupid users. This is frowned upon by society.
Capthas solve the wrong problem. Why should a website care if it is a program or a human filling in a form? Why couldn't I have an user agent to automate registration on websites for me if I am not abusing?
This would fail.
The majority of spam comments now are autogenerated with keywords and generic "thanks for this info, I will come back and read again" messages. Your typical user won't recognize this is spam. It's just like using bayseian filters for email spam.
I'm out of my mind right now, but feel free to leave a message.....
Remembering a couple passwords and using an authentication they already have is more effort? I don't get how you come to that conclusion. They address the problem of having to create a new ID and prove humanness via CAPTCHA, which is rather the point of the discussion.
B) Eliminate all the stupid users. This is frowned upon by society.
DeCaptcher services are dirt cheap and extremely easy to setup for any page that is going to be abused by bots which the majority has DeCaptcher services built in.
A good example would be my account I use with JDownloader has around 330,000 automatic captcha entries left.
Um, no. The computer doesn't have to understand the meaning of a scene in order to render it. Games are rendered a hundred times per second. The GPU doesn't know that's Lara Croft's boobs, it's just polygons.
pad it with random instead of zeros?
signature is pants
Vastly superior methods for stopping spam have existed since well before captchas were invented.
They still exist today. I've written about them at great length (elsewhere), as have others.
I guess it's just an oversight on your part, that you didn't include a link, right?
The problem is not that these methods don't exist, or aren't effective, or aren't well-understood; the problem is that people refuse to invest the effort to learn them.
Well, I would love to learn them. Unfortunately, every alternative method I heard about, was either less effective or did simply solve a different problem altogether.
"I must have listened to the Skype audio CAPTCHA 20 times before I gave up and asked my sighted friend to set up my account.."
Skype is a bad decision even for sighted people...
An anedocte: I had a website which the only page which is accessible for a non logged user is the user request page.
I got a lot of user requests with bizarre usernames. Denied them all. But I started getting 10-20 per day, and increasing. That only stopped when I put a captcha on that page.
-- --
If it's reasonable to kill captcha because it's something that works for many but not for a few, why shouldn't the entire (well, 99.999%) of the web that's inaccessible to the totally blind be banned as well?
purging the spam comments isn't even half the problem. I recently set up a site for a small hobby group here using Joomla with K2. As they only had a few members and were migrating people from a facebook group to their site, they didn't really feel the need for a lot of things, like captchas on the blog comments. 2 months after we set it up, I get a panicked text about how it isn't working and the hoster had shut down their site. After getting access to site, I found there were hundreds of thousands of blog comments which had basically been posted at once by some spam bot.
Captchas enabled, no problem since. Screw blind people. If they want a site to even use, they'll just have to deal with it. not that I think they'd be much for a bike club..but I could be wrong..
Use a visual and audio word problem. You can automate making any number of these in many different forms. Anyone who's done 8th grade math can solve them, but computers would have to actually understand the English, and they'd fail at that due to different wordings, inclusion of unrelated information to confuse the computer but not people, etc.
Like: "Of 100 total children, five times the square root of the number of Mary's children is the number of children Mary has plus six. Five strawberries are on a table next to eight books. Of the 100 children, how many have Mary as a mother?"
Computers won't be able to solve that for a long time (mostly due to the language processing, not the math), but humans can solve it in a few moments.
And where did you provide those references?
Rethinking email
Quite right.
While some visual captchas can be quite obnoxious, audio captchas (at least the ones I ended up trying) are truly evil.
Good thing blind people tend to develop much better hearing. They're really going to need it on those audio captchas.
With services like Death By Captcha: http://www.deathbycaptcha.com/ - you don't even need to fully automate (bot) the process. Can simply employ a mechanical turk solution instead. No captcha will ever beat cheap humans.
Captcha solves the wrong problem; who cares if its human vs bot if the action to be performed is undesirable. Better to constrain with hard limits of posts per device in a given time period.
I'm visually disabled and while I agreed sighties often overlook our needs the cold hard truth is that any sort of support for the blind will be leveraged by spammers and bots who seek profit at the site owners expense. Would I love to have better support for mend others like me? Yeah.. but I'm a realist and I know its never going to be a priority for most people because the sighted done care about the blind like me.
- d
UM... https://www.google.com/search?q=What+is+five+plus+seventeen easily gives the answer.
I think Joe Cascio's idea of "collateralized identity" looks really interesting here:
http://joecascio.net/joecblog/2013/03/25/collateralized-identity-using-bitcoin-to-suppress-sockpuppets/
The core problem we're really trying to solve with a CAPTCHA is: anonymous identities are very cheap to create. We can require the user to provide and verify an email address, but it turns out those are cheap to create too. What we really need is a way for the user to prove that they have something invested in their identity - be it monetary value, time, cpu cycles, or whatever. A bit like slashdot karma (so you can filter out trolls/spammers using identities with nothing invested in them, which are cheaply created/replaced.)
Bitcoin, if it should ever gain widespread adoption, provides a very convenient mechanism to accomplish this:
1. each bitcoin user already owns pseudonymous unique public identifier (ie. their bitcoin address), which they can provide to any website as a portable identity
2. to prove ownership of this identity the user can sign a challenge from the website using their private key (hey, we just solved the password problem too!)
3. an amount of monetary value (ie. bitcoin) stored at this address, plus the length of time it has been stored there, is publicly visible on the block chain.
This allows the website to assign weight to the identity based on a combination of: the amount of value stored with the identity + the time it has been stored there. An identity that has had $20 stored with it for 3 days is probably not a spammer. An identity that has had $0.20 stored with it for 3 months is also probably not a spammer.
Of course it is easy to generate an unlimited number of such identities - but hard to have a decent amount of value stored with each of them for a decent amount of time. Websites can easily adjust the weighting threshold required to sign up / post comments based on experience with incoming spam. And there's always the ban hammer - which suddenly has some real weight behind it again :)
Important to note:
1. the money (ie. bitcoin) associated with the ID stays under the user's control at all times. The user alone has the private keys required to transfer/spend it any time they like - of course doing so would lower the weight assigned to their identity by any websites that inspect it.
2. the website need not store any authentication information for the user (eg. a password). The user retains control of their private key, and can use it to authenticate without disclosing it to the website.
Too hard for Joe Public to understand? Maybe.
Just imagine this all wrapped up in a friendly browser plugin. When you visit a website there's no login page - your browser has your private keys (perhaps encrypted with a master password, like Firefox's password manager does today) and just automatically authenticates you. Your browser could provide a drop-down "switch identity" widget in the toolbar to let you flip between multiple IDs / generate new ones, which is the only bit visible to the user (they need never hear terms like "private key".)
An "add weight to this identity" option would allow you to add/withdraw funds for any ID. Initially this might look like a bitcoin transfer (confusing for non-technical people), but a private company could easily provide a regular payment gateway on top of this (ie. accepting dollars), making the process no harder than recharging your skype credit.
Adding weight to any identity would be strictly optional, but might eg:
* allow you to skip CAPTCHAs
* allow you to post at +2 on slashdot by default
* generally increase the trust in your identity being genuine all over the web - use your imagination....
--Gareth
fine.. run your own site, or go somewhere else.
You could start off with your common-or-garden variety spam filter and increase the linguistic sophistication for your defences from there ...
C'mon, given the technology that exists to spy on you everyday, CAPTCHAs are a really dumb way to deal with this problem. I mean, if we can land a man on the moon ... oh yeah we can't any more, forgot.
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
What happens once Project Gutenberg runs out of books published before 1923?
Suggestions probably get shut down because the "one corner case" happens to be the subject of the featured article.
Your solution breaks with multiple people in the house who share a phone.
The web is not a visual medium. It is a medium of the HTML DOM, even if your favorite user agent happens to present it visually. Blind people use tools called screen readers that read text in the DOM aloud.
For a captcha for the blind, how about the question "Which sentence makes sense?" and grab a sentence from some out of copyright book or something with four other computer generated ones, that are grammatically correct, but otherwise are nonsensical. Something like:
A. He was a light, slow, and there is a small Saturn -- away from a high flame lying in the life within it.
B. This was not illegal (nothing was illegal, since there were no longer any laws), but if detected it was reasonably certain that it would be punished by death, or at least by twenty-five years in a forced-labour camp.
C. Its neck was a novel entitled "Kaleidoscope Vision," which is hat crinkle were like fresh glass domain key
D. He was shrill the world was a greenish drink at me that leads to allow the cold water
Read the (7 letter word starting with F) article: I must be lousy at counting today because "featured" looks like it has eight letters.
I have no mod points so I must say that if everyone had that same reflex you just displayed, of checking ones assumptions when it's trivial to do so, humanity would be conquering the universe at this point.
Not if there's an alternative that isn't overrun by spam and doesn't have CAPTCHAs
As a moderator on a Popular Australian bonsai website, Without captcha we wod be screwed. the amount of spam whil having it on is bad enough, We had it turned off for a while and got hammered!
We actually use multiple methods, and we still get spam!
the only answer would be to shoot every spammer!
Okay they could pad with something random instead of zero. But a little more involved program could simply read the image in memory, go thru the JPEG fields, and remove all that is "padding". Et voila. You can again compare the number of zero.
A more involved solution would probably be to add additional distortion in the original image which would be invisible in the eye, thus forcing the compression alogirthm to build a longer file for the original, but that would be far more involved and probably could be broken other ways.
True, but that is likely to be the same for any widely adopted solution. The best protection is probably just to have a question that is fairly unique and yet has a well defined or known answer.
They move the authentication process to a few providers rather than hundreds. The few used are more likely to be secure and less likely to need complex authentication each time.
Or: They move the authentication process to a few providers rather than hundreds. The few used are more likely to be heavilly targetted by spammers and less likely to do the required job.
Authentication and determining trust (i.e. determining whether the "user" can be trusted not to spam) are two separate problems that are perpetually bundled together inappropriately. IMHO they need to be separated:
The authentication service provider needs to be someone the user trusts - when I go to some-random-blog.com and have to authenticate to leave a comment, the blog can contact my authentication server to find out who I am. The blog doesn't need to know how my authentication server is authenticating me (could be a password, or kerberos, or whatever), all the blog needs is confirmation from the auth server that I really am who I say I am. So I can log in with "me@example.com", the blog makes a DNS SRV lookup on example.com to find the auth server, does a challenge/response handshake with the auth server that proves that the auth server has determined that I really am me@example.com. The authentication server can be run by myself, my ISP, my email provider, facebook (if I were insane), whoever - the important thing is that the authentication provider is someone I trust and no one else gets my actual authentication credentials. This immediately massively reduces the threat of leaked passwords, etc. since I'm not having to hand my passwords out to random people I don't trust.
The "trust provider" (i.e. the service provider that determines whether or not I'm a spammer) needs to be someone the blog owner trusts - it could be run by the blog owner themselves, or some third party (google, etc.). All it does is some verification that my ID (me@example.com in the example above) is used by a human. The blog asks the trust provider for verification, the trust provider says "this ID doesn't belong to a spammer" and the blog allows me to post. I guess some kind of feedback mechanism would be good so the blog owner can inform the trust provider if I start spamming.
This even provides some level of anonymity - I can have multiple IDs all backed by the same authentication credentials at the same server if I want, and it could be arranged so the blog itself never even sees my ID, only the trust provider actually needs to see it. And if I *really* trust my authentication service (i.e. if I run it myself) then I only need one set of authentication credentials in order to log into anything - whether that be slashdot or my bank - because no one except my auth service actually ever gets trusted to see those credentials.
http://blog.nexusuk.org
TROLL WARNING! (Read the user name.)
If you want to troll, Arrogant-Bastard, then at least don't be so *shitty*. My grandma eats "trollings" like that for breakfast.
___
He's probably 13, judging from his statements like "I have more experience in this area than you could possibly guess". That's the last time I used "arguments" like that. Especially after talking about "methods", yet conveniently not mentioning a single one of those. Just like the "references" he "provided".
Also: Several thousand posts over several years... sorry, but that's not a person living a successful life, but a loser in his underpants, posting flames from his mother's basement. Ain't nobody got time for that!
If the site you like does get spammed, then it is your problem.
More Spam = more expensive site to run = need for more income = more adds smarter adds ones that go around add blocks.
I am all for ending capatachas however what are the alternatives?
Please I would like more discussion on good alternatives, then just busting on an old attempt that works OK.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I am vision impaired & *had* a hard time with captchas.
Until I remembered that in firefox, ctrl+ zooms.
When I run into a captcha, I hit ctl+ a few times, fill out the captcha & submit.
Then I hit ctrl- a few times to get it back to the appropriate size. Yes, I know about ctrl0, but I already run most pages a little zoomed.
Every single person I have shown this to, vision impaired or not, no longer has a problem with captchas...
pass it on!
Just offer a possibility to register by email with a real person for the ones who have troubles with captchas. Why the hell do you have to try to automate _everything_? There is a minimun wage IT job right there. The economy will get better when the unemployed get jobs.
I think this would alienate about 90% of the target audience while making it easier for bots to decipher and bypass.
We need to ask 4 or 5 questions, and allow the visitor to "Choose which question to answer"
Please answer three of the following, and leave the rest blank:
So, scaring users away with wall of text and (more) complex instructions (than usual) while making it easy for the bots - they only have to know answer to few questions and refresh the page until three of those come up.
Might as well start asking humane questions like "What did you feel when Scar killed Mufasa? (In 100-200 characters)" or "What's your opinion on relationship between science, religion and morals? (same)" and have another human rate answers.
Captchas are a regrettable first line of defense to keep the remaining spam manageable. You really need multiple defenses to keep the conniving bastards out.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
There's a missing comment upthread which included half a dozen or so links (including one back to Slashdot) about projects that have quite, quite effectively demonstrated that captchas are worthless.
Of course anyone of even modest intelligence would be capable of doing their own homework and searching the web for things like "captchas defeated", then reading what they find. It's old news (years-old, in fact) by now, so there's plenty to read about. But then again, nobody of modest intelligence would even consider using captchas: that's the province of the lazy, the stupid, the ignorant, the worthless.
Here, I'll get you started: https://freedom-to-tinker.com/blog/felten/cheap-captcha-solving-changes-security-game/
That's one of MANY. You should be able to find some of the rest in a few moments without further assistance from me.
No, not a troll, just very aggravated that this conversation is apparently necessary. The lack of cognitive and research skiils among defenders of captchas is appalling; how can ANYONE be so amazingly ignorant as to not recognize that the only captchas that haven't been thoroughly defeated are those that aren't worth defeating -- because what they "defend" is so pitiful that not even spammers care about it?
As to your incorrect speculation on my background: I go back to ARPAnet days, kid. So I've earned the right to be a little snotty from time to time when faced with the kind of monumental ignorance on display in this discussion.
But you know what? If you want to blindly persist with your pathetic captchas and your laughable belief that they have any value at all: go right ahead. Just keep holding up tissue paper in front of a tank and hoping it'll work. I'm sure that'll work out just great for you.
Computers can solve some of these more easily than humans can. We can stop pretending we're still better than machines at optical character recognition.
That isn't a thoroughly hard problem
Solve it, then.
From apples three, bright and red, Billy ate the first and bled - A razor had a witch hid there. One drop, two drops, three drops, more! And gazing down at the evil barb, he reflected on the primary causes of World War II. Drip. On the Pythagorean theorem, drip. On shoes and ships and sealing wax, drip drip drip. On the price of a first class stamp. On dasher and dancer and oh, the agony. He noted the blood, ignored the rest, what is six times 9 less pi? Then he died. Alone. In the rain.
Go ahead. I'll give you another when you have a program that can parse that one correctly.
You can automate one part of that, though - Any IP that answers 50.858, you simply auto-ban as a spambot.
Second, it takes away your contribution of "linkiness" for your legitimate users' links to Google's pagerank algorithm. You can fix this with extra work like "probationary" and "full" users, but then you're taking on the task of rating your readers, which may be Sisyphean on a site the size of Slashdot.
That's what karma is for.
Users with 4-digit ideas or lower, and users with karma 4-5: full users
Users with karma 1-3: probationairy users
Users with lower karma: rel=nofollow users.
Anonymous cowards: rel=nofollowthatbastard users.
no.. this is about blind people complaining that audio captchas are too hard.
you know why they complain? they haven't had to deal with a bunch of impossible visual captchas.
slashdot is one of the few sites with reasonable captchas.
There's more than just that involved.
A certain nameless site for a very popular product has color captchas. I desperately needed support, but could not register because it used a color captcha which rendered very poorly at my screen resolution and used colors that strained my less-than-perfect color vision.
And the maddening thing about it was was that I already had seen plenty of spam posted to the forums. The spammers had presumably simply hired cheap labor to defeat the captchas manually.
I always wondered - we build an Internet to transfer files, so who cares if a person does it or not? Why have CAPTCHA at all? If people want to automate file transfers, let them. We've built out an Internet that cripples itself at every turn. File download services cripple their bandwidth, and then cripple themselves with wait times between downloads, and make people type CAPTCHAs.
They've gotten too good. I cannot read them!
aren't they also being used for reading old texts where OCR failed? I think these are the ones where there's 2 panels? it's a hidden positive of using them.
spam would be your problem as well, as it would make many pages/sites unusable. while i do find some captchas annoying, i find spammers a thousand times more annoying. i wish them painful death, maybe by suffocating in sleep and waking up too late. or something.
Rich
because what they "defend" is so pitiful that not even spammers care about it?
You say that like it's a bad thing. I have a small, technical, professional special interest forum. It seems to be of value to the users given that they keep posting, but is "pitiful" according to you. The readership is not big.
Initially it got overrun by the massive bulk spamming operations. I put in a captcha. Now the economies don't work out for targeting a small forum like that.
Great! Captchas worked!
So I've earned the right to be a little snotty from time to time when faced with the kind of monumental ignorance on display in this discussion.
Yet you are the one being monumentally ignorant by assuming that anything worth protecting but not worth attacking is "pitiful". You seem to be ignorant of the whole world of small special interests out there that are valuable to the members but will never be big.
I am fully aware that captcha's are not very strong security. Neither is the lock on my front door. But I guess my house is "pitiful" since I don't have the crown jewels locked up inside.
SJW n. One who posts facts.
don't you think they fixed it? it sounds trivial to fix.
Their website's examples are still zero-padded, so it seems not.
systemd is Roko's Basilisk.
It's still trivial to break: https://gist.github.com/Glyxbaer/4564489
systemd is Roko's Basilisk.
If taking a couple seconds to answer a CAPTCHA is too much effort, I probably don't really care what you have to say in the comment section.
If you can't take a couple of seconds to skim through the summary and discover that it's not just about time, it's about accessibility, then I don't care about your opinion either.
Instead of complaining for it's removal, they should instead implement an alternative to systems like re-captcha, such as a world wide phone verification system and their expense and provide it free to webmasters. Otherwise free solutions like re-captcha will remain dominant.
Change is certain; progress is not obligatory.
All you have to do is ask a simple question: "Are you a robot?" with radio buttons for "yes," or "no." Bots can't lie if you ask them if they're a machine. I know because an undercover cop told me.
That implies that spammers are unconcerned whether or not their spam is effective. They're concerned about the ease of spamming.
Which makes perfect sense if you're farming out the task of spamming to cheap labor or to robots - the laborers will follow your instructions, it's not their job to analyze whether or not it's working. So you could warn the users all you want that their spamming will not be effective, but the spammers are not even going to read it, and will pollute your site anyway.
That further implies that even a weak captcha would be enough to stop robots and low-paid laborers. And a friend of mine offers anecdotal evidence that it helps. He added a check box to his site: "check here if you are not a spammer [ ]". It reduced some of the automated spam. But he still reads and approves all comments before they're posted, as there is still spam.
What about a script that produced randomized simplistic captchas: "Human test: two plus three equals [ ] four [ ] five [ ] six" "Please answer this question - three added to three is [ ] six [ ] seven [ ] eight". Vary the wording, vary the answers, vary the correct answer position, vary the position of the question on your sign up screen, and randomize the field name. It will stop robots until someone specifically targets your site.
Better, don't vary anything until you need to. Let the spammers do the work first of adapting to you. They might ignore your site unless you're really worth it to them as a target. Then vary one thing, and see if they "chase" you with a round of fixes. If they continually adapt their robots, (or pay for smarter laborers), then you need to do something else. If not, you've saved yourself a lot of work, and you still have fewer spammers.
John
I've seen quite a number of CAPTCHAs that were so distorted they were completely impossible to deduce any actual Latin characters out of them at all. (Or the occasional CAPTCHA that actually very clearly had characters that were *not* Latin characters. Those are fun.)
I've found the best way to get rid of spambots without wonky captchas, is to have a free-form textbox field that requires the person trying to create an account to answer a simple question. For smaller sites, it can even be a static question like "what's the answer to this question: 5+6 = ?". For larger sites it can make sense to have a rotating or frequently-updated question about the site itself, something a spammer, even a non-bot spammer, wouldn't know without researching, but that someone who came to the site because they were interested in the subject would.
If taking a couple seconds to answer a CAPTCHA is too much effort, I probably don't really care what you have to say in the comment section.
Or a couple of minutes considering most capchas are illegible.
This!
More and more, captchas take two or three attempts.
(Disclaimer: IMHO, I'm not senile, dyslexic, a horrible typist. blind. Your opinion may vary).
I suspect some sites are intentionally forcing a fail once or twice, at least occasionally, especially when you enter the word
in a timely interval. Bots probably give up after two failures, and they probably answer quickly.
So implementers make it more and more restrictive and throw in bogus failures.
I have a 13 inch diagnal laptop screen, and a 22 inch desktop screen, and theses distorted captchas are the pits. If they could be as good as the ones from /. I would not mind them. But for some site, the programmer, if you get the captcha wrong, wipes all your input.
Regarding multiple entries, "yahoo.com" always forces me to enter the password twice. That is at least better than clearing the form and starting from the beginning
Leslie Satenstein Montreal Quebec Canada
The approach will fail if the context is important (autogenerated text) and if the comments are too long (user won't bother to read til the end).
Hello... I have at times just gave up trying to GUESS what the hell I was suppose to type. This program is way over the top to protect Webmasters!
So, have some of the racists idiots with zero tech skills, and too much time on their hands, posted to this thread yet? I've already seen two stories - I think the last was on Beezos buying the post, that had a long, incoherent rant by some asshole, with nothing to do with anything other than their desire to masturbate in public.
mark
The best and most simpler solution to stop all registration bot spam is make your registration double optin. If the bot cannot click a link in a confirmation email then the registration never succeeds. Even harder would be make the link in the email unclickable and make them copy and paste it into the browser to complete the registration. That is mission accomplished.
so it's better to have to register an account with some shoddy "identity manager" (facebook, google, disc0, etc..) ...." - "okay, cool, thx bro!"
and tell them that you're posting a new comment EVERYTIME?!!
-
go to any website (newspaper in dodgy country maybe?) call up "identify manager" first:"hey guys, i'm going
to post some stuff on this website, would you please confirm my identify to them please?" - "sure no problem, let me just make
a quick entry in our history of ALL your posts in OUR (three letter agency shared) database
-
hating captchas makes you a three letter friend.
pinky brown blue
You did what? You know what you are talking about? You know you are on /. right?
The new right fascists are bilingual. They speak English and Bullshit.
You have to look at the intention of the law. In the US the percentage of legally blind people is 0.03%. People with disabilities should just accept that there are things that they wont be able to do. I know that isn't very PC and I will get hate for saying i. Shit someone has to don't they?. This is about forcing people to register their real identity when the first log on and that data being available everywhere they go online automatically. It is to make anonymity online as close to impossible as they can.
The new right fascists are bilingual. They speak English and Bullshit.
I wish /. had an edit feature. At least until I had had my second cup of coffee.
The new right fascists are bilingual. They speak English and Bullshit.
What about us people with only one hand available at the time. We hate captcha too!
Actually seriously so many websites should design for this its a big useability issue.
stopbotters.com im using it on a few of my websites, however Im also using the picture puzzle capture which is easier than text. These 2 systems combined i have yet to have any spam or bots sign up.
Keycapture is free for their basic https://www.keycaptcha.com
StopBotters.com is a javascript file that connects to a database that searchs various variables such as for example, Time taken to register if detected faster then allotted changeable time ban as bot, Editing of hidden fields, Ip, Email, lookup to verify if they match any spams that been detected in the past and ban them.
Fairly nice system.
What's wrong with the audio option that is offered by every CAPTCHA service *I* know of?
Including the one that /. uses for AC posts.
THINK! It's patriotic
Per image, it's a one-dimensional search space. If you expect a human to solve it, they have to be able to know if they're moving in the right direction once they get close. That means an binary search (probably 10-ary) will do the job. This problem is computationally trivial. If this gets used on a single interesting site or a large number of uninteresting sites (e.g. wordpress or phpBB), you'll soon be spending more time making keys than you would spend filtering spam.
No. Lots of sites have disabled link posting, yet spam remains a problem. Look at all the junk stock spam email you get on a regular basis. Other spammers even use: "visit MyScamSite (dot) co".
When my blog was spammed once, I could see the trail:
1) Post simple plain-text "hello world"-style message as bot to ensure you can post
2) Post with with linking the username
3) Post with links in the body
Even when #3 was disabled, they abused #2. With #2 disabled, #1 was still abused by the first timers. This was back in the day before the flood of penny stock spams when other targets were easier.
IIf this gets used on a single interesting site or a large number of uninteresting sites (e.g. wordpress or phpBB)
Ooooh BURNNN on Wordpress!
Try it and see. It's horrible.
The Ryan Air site now makes you watch an advertisement before viewing their CAPTCHA.
The fact that a lot of them you can read and match them and it still makes you try over and over again. For the most part you are guessing what most of the letters and numbers are. Wish they would eliminate all of them everywhere.
and start knocking on doors
I thought the Watch Tower Bible and Tract Society had the patent on this. :p
Also make it harder for you to solve CAPTCHAs. And there's nothing worse than CAPTCHAs on mobile.
AI understands logic much better than the captcha problem, and has for 50 years. Early LISP and later PROLOG solved these problems well. Modern computers can expand search spaces that are much larger now.
I personally recall a site that replaced captcha strings with basic calculus problems. An MIT student wrote a LISP program to solve these in the late 1960's, before I was born.
So, scaring users away with wall of text and (more) complex instructions (than usual) while making it easy for the bots
No... only a few questions need to be asked. There are already a lot of questions on a signup form.
- they only have to know answer to few questions and refresh the page until three of those come up.
What makes you think they can refresh the page and get more questions?
I would limit signups to 1 signup per IP address per 2 hours, and use a hash of a timestamp with a 60 minute resolution concatenated with their IP address to uniquely select questions.
If they refresh the page; they will get the same questions.
+1000 !
I am an intelligent person (probably like most people here), and also extremely observant by anyone's standards, and I find that the majority of the time, at least one character of the captcha is so hard to read that I have a 50% chance at best of getting it right.
We have NLP that can parse sentence structure from syntax/grammar, and there's only one question in the entirety of what you posted. Hell, for that specific example I could isolate the relevant bit with a regex looking vaguely like /.*[,\.]([\w\d ]+\?).*/ (and yes, I know that would be defeated by scattering random question marks around the place, but I still think it's damning for your approach).
Besides that, I'll give you a dollar if you can put up a site that uses that system without the response from the registering public being "WTF how is log in formed?"
and there's only one question in the entirety of what you posted
Then I suppose you have, accidentally, shown my proposal as too complex - Because the "one question" counts as a red herring and gives you the wrong answer (thus my final statement of auto-banning anything that answers 50.858).
FWIW, the real "question" appeared as "He noted the blood, ignored the rest".