Slashdot Mirror
Campaign To Kill CAPTCHA Kicks Off
Bismillah writes "CAPTCHA may be popular with webmasters and others running different sites, but it's a source of annoyance to blind and partially sighted people — and dyslexic people and older ones — who often end up being locked out of important websites as they can't read wonky, obfuscated letters any more than spambots can. A campaign in Australia has started to rid sites of CAPTCHA to improve accessibility for everyone."
stupid
Makes it useful.
No replacement is mentioned in the article, just the drawbacks of the existing scheme.
from automated submissions?
If the campaign was taken over by bots?
"W3C has suggested other techniques such as logic puzzles, limited-use accounts and non-interactive checks to prevent abuse such as fraudulent account creation and spamming."
Its going to be far harder to make an AI that can create a decent logic puzzle as well as make it accessible and hard for computers to solve than it it to make an image and warp it a bit. I think any such puzzle will probably be worse than the audio captcha button.
there isnt a single thing that everyone will like or approve of.
let's say you change it do you have to answer a simple addition math problem. what you get is someone crying, "i have to answer 5+8?! but i dunno maths you insensitive clod!"
you know that person really exists.
Anons need not reply. Questions end with a question mark.
Yeah, yeah, and after they have this and the spambots trivially come back, they'll start bitching that their screen readers can't properly translate "the cheif fuicks le sabretary havemake for the dealintroductionary xxxxanaxxxxxfree". *sigh*
OCR has advanced to the point it is now possible to beat it 99.99% of the time no matter how difficult to decipher -- which has a side effect of making even real humans have trouble reading the CAPTCHA. Not willing to shell out for quality OCR? No problem, Amazon's Mechanical Turk provides you all the tools you need to get people to read the CAPTCHAs for you and the spam goes on. Don't feel like spending any money at all? No big deal, many CAPTCHA services are easily bypassed. (Let's not get into the ethics of certain companies using CAPTCHA solutions for third-party websites as unpaid labor.)
This was an early-00s temporary solution to a permanent problem better solved via other means.
A campaign in Australia has started to rid sites of CAPTCHA to improve accessibility for everyone.
Sure, but have they come up with or even recommended an alternative? No?
Well fuck 'em, then - I for one am pretty damn fed up with all these people and organizations who do nothing but bitch about how Item X is 'unfair' to them, AND expect someone else to come up with the solution for them.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Not sure is this is already super well known, but only 1 word is actually used for verification. In this example you could type "thrand " and pass it. The verification word always looks similar in font/size to 'thrand'. Oh, and the other word I believe is a scan from a book and if you *do* type it in, it will help the digital scan of the book actually pin point what word it is.
You were critically hit for no damage. The bruise will look nice, and maybe the scars will make good party talk.
there are already several types of captcha nowadays that are newer and much easier to use. one of the ones ive seen is one with a company logo and you have to type out the company name. another is one where you have to makea pizza with specific toppings. another one is where you have to draw an image. captchas are necessary... the problem is that they have become too ridiculously difficult instead of making it easy to use for normal ppl.
But, having the forum overrun with spam and Frosty Piss is far more annoying!
A stoned person types his password into a CAPTCHA field.
"Wrong? Ah man, I know that's my password."
CAPTCHA will be around as long as it is the best way to stop programatic submissions.
CAPTCH sucks for sighted people as well, not just the visually impaired.
As long as we have need for tools to discern software from people, something like CAPTCHA will exist. And so far we haven't developed anything that only humans can do, but computers can't.
I'm out of my mind right now, but feel free to leave a message.....
Another "service" Goggle capitalizes on, for free.
It makes me want to cry when I think of how many catchas I've typed...
Passwords, with no two sites accepting the same format. CAPTCHAs, which often as not even normally sighted people can't read without difficulty. Security questions which are either inane or represent their own special security risk.
God almighty, can't we come up with something to replace all of these?
Three Squirrels
Mission Accomplished.
Annoyance to older people who were used to buying their overseas Viagra from forum spambots.
Captcha fulfills a need - it is, as the name implies, a test to completely automatically tell computers and humans apart. It's necessary to keep spambots from registering accounts and spamming the hell out of us. Granted, the "type this wobbly word" may not be the most practical (nor safe) solution. It's easy enough to come up with alternatives- Perhaps show four photographs and ask the user to click on the one that doesn't belong (maybe the kitten out of a picture of 4 cats). Coming up with good ideas? Much harder. Complain about it all you like. Come back if you have a better alternative.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
Apparently blind people are unaware of all the spam postings clogging porno web sites without it.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
wait, I thought the whole point was to keep those damn dirty dyslexics from posting!!
This kind of thing shouldn't be hard at all. You don't need complicated logic puzzles or any such thing. You just need something that's hard for a computer to figure out, but easy for a human.
For instance, render a 3D scene and ask a question about perspective. "What is the person holding in her right hand?" "What is the person looking at?" and similar such questions. Trivial to render. Hard to figure out, because it's far beyond simple image recognition: you have to see and interpret what's going on in the scene. It doesn't have to be confusing or hard at all. (And rendering is super cheap these days.)
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
there are a few websites I want to access but cannot because their CAPTCHA is unreadable. Some of them are just way too complicated to read. I use it on my own blog but it is simple enough so you can get it the first time. It would be nice if there was some other way to prevent bots.
... the Feedback page for TFA blog has a CAPTCHA.
It must have been something you assimilated. . . .
Go ahead, create a better solution and we will be waiting.
It must be capable of being hit many thousands of times per second, so it can't be heavy on resources.
It must be capable of being displayed in any browser from the past 5 years at least, 10 preferable.
It must absolutely not be plugin based.
It must have absolutely no sound unless requested.
I had an idea myself of having fuzzy cats and dog pictures, stretched, skewed. noise added and rotated, all up to a maximum value before it becomes too noisy.
Grayscale, color would be applied to them. Option of even having virtually weird colors that aren't natural.
The hugely identifying features of the face would be blocked out, cats and dogs are still pretty identifiable by body, regardless of face being visible or not, but it may still be stupidly hard for computers to figure that out without huge resource requirements.
That slapped on top of a fuzzy background.
Each image is pregenned in batches of however many the server operator can be bothered to generate, or just semi-realtime.
They are not generated on the client end, ever.
Count the dogs or cats.
Problem is this fails the resource part in that they are particularly heavy to generate as well as transmit. (even as a JPG)
To be of any use, they would also need to be fairly wide, tall or generally just fat.
It could work and anyone is free to steal the idea. If you could get it to work and work well without too much in terms of resource usage, I applaud you and wish you much success. It is not something I care enough to implement myself, unless I were to go ahead with making that website, but that is unlikely at present.
Who knows, I could be using the idea I gave you for my own site one day. Think of all that fame you would get, "The person that killed CAPTCHA".
Of course, image recognition is getting considerably better as each year passes.
There are systems that use huge numbers of image caches and machine learning to figure out captchas.
These are typically only reserved for people that can afford to pay for it.
But power increases constantly. And those cards designed for bitcoin mining are very useful for such a task of cracking and comparison in general.
It could be cracked very easily if it is far enough ahead.
And before anyone mentions it, Rapidshare isn't the inspiration for this, I had this idea before I even knew of Rapidshares existence.
Equally, Rapidshares attempt at it was absolutely terrible and abusively bad, half of those pictures were impossible to tell even for humans! (which is for obvious reasons to get more money, which will happen rarely and it just pisses off the people who wanted a file)
solvemedia and other advertising scum let webmasters make money off of annoying their users
why would they give that up?
The campaign support page already has 17 billion supporters!
Get rid of them and replace with simple maths question:
http://farm3.static.flickr.com/2174/2268237733_cda4a1dbb3.jpg?v=0
We have AI units that are equivalent to 4 year old kids. How much longer until they can defeat standard CAPTCHA systems?
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
CAPTCHA may be popular with with webmasters and others running different sites, but it's a source of annoyance to blind and partially sighted people — and dyslexic people and older ones — who often end up being locked out of important websites as they can't read wonky, obfuscated letters
CAPTCHAs tend to have an audio button where a string of numbers is read off to you.
Even Slashdot has a "mp3" button that reads the letters on the CAPTCHA off to you.
Doesn't that already help all the above people with issues listed here?
(Except possibly the "older ones", who may have hearing issues too.)
What do I know, I'm just an idiot, right?
Bots can read most captchas being used.
I've become convinced that the purpose of captcha is to punish regular users. I strongly suspect that spambots merely push the re-captcha link until they get a pattern that's easier to parse.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I've been developing websites over 10 years and have never needed a captcha system.
This is how I always go about it:
1) Include a form input element labelled as something common, like a telephone number but on a registration form that would never actually require a telephone number. Hide the parent div using CSS in an external CSS file. When the form is submit, check to see if the element is filled out. If it is, simply display a message that you think their registration may be automated and to try again. If it continues, please contact us by other means (phone, email, etc) and we will help them through it.
2) Time the registration from the time the page is loaded to the time it is submit, if its less than 10 seconds, do the same as above, simply display a message saying you think their registration is automated and to try again, etc.
When used in conjunction I feel I've cut out 99.9999% of spam or false registrations. The timing method has to be done server side and stored in a session, and is fairly involved so not easy to do properly if you are new to web development. There is also the issue of someone hitting the back button to try again after a failed submission (if you don't use client-side validation), and them submitting from a cached page, but can be worked around if you know what you are doing.
Obviously its not bullet proof, and if the CSS file doesn't load then someone would see the extra form element. But its a small price to pay for effective protection.
Anyone else have other methods they use?
I had to post this as an anoymous coward, because i have to state an unpleasant truth that every single web site operator out there who isn't disabled will agree with 1000%, but can't publicly admit unless they wanna get flayed alive by the disabled lobby.
Get rid of captcha, not on YOUR life. I have a forum with 30 active volunteer moderators and without captcha they would spend every waking moment of every day removing bot posts non-stop. If we make a captcha that is just as easy to read with a screen reader or braille display as a sighted person, a computer can read them as well, defeating the purpose and making the whole system useless. Sorry it is not gonna happen. YOU have a disability that limits you, so get used to it. The basic fact is YOU can't penalize everyone else in the world because of that fact.
http://en.wikipedia.org/wiki/2081_(film)
LOL I have to submit a Captcha code to post this to Slashdot, I love the irony!
One time registration is one thing -- I can just punch the re-captcha until I get something I can read. (But if I can do that, couldn't a bot do it too?)
It's the sites that require captcha for each login that really chaps my ass. Yeah, I'd vote for it to go away.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
There is a simple solution to all this;
Use CAPTCHA's that have the audio button that speaks the CAPTCHA instead of looking at it.
Sight issues? Solved
Hearing Issues? Use the visual CAPTCHA
sight and hearing issues? If you cant see or hear then a computer is not for you. Stop trying to use a computer, you have much bigger issues to deal with.
Intelligence/mental issues ( e.g. cant add 8+5)?: operator failure, operator is too dumb to use a computer, replace operator.
This solves problems for 99.999% of people. It is not worth it to piss off 99.999% of people to make the 0.001% of people pass through a CAPTCHA.
Looking forward to not needing to look for the "Long S" character on my keyboard anymore http://blog.ambor.com/2013/07/an-unexpected-risk-of-using-re-captcha.html - I'm always worried that my employer is filtering on words like goatfucker when I mean to write goat(Long-S)ucker.
The "which of these pictures is a kitty" or the question "what is 1+1=?" are superior. The distorted text is irritating.
And as to the deaf... most CAPTCHA's will offer a "press to speak" feature.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
You know you live in a magical world when people are suggesting changing things in a way that would negatively affect the majority just to make cripples and broken people happy. First they abolished slavery, then they let them live in and run Detroit, and now they want to get rid of CAPTCHAs. What's next?
Are we getting to start letting people stay in the US Military when they are physically and/or mentally incapable of performing their jobs?
The solution is not to make it harder for spammers to post. The solution is to murder spammers after they post.
Simply require an email address and maintain a blacklist of bad domains.
People seem to forget that the term "CAPTCHA" (Completely Automated Public Turing test to tell Computers and Humans Apart) applies to a much broader set of tests than just those obfuscated text-based things that most of us loathe. Banning CAPTCHAs is a silly notion that would adversely affect every site currently using them, as they become swarmed by spammers. Instead of banning them, they should be asking people to use sane, simple CAPTCHAs.
For instance, on a forum I run for a group in a game, I use a form of CAPTCHA that has people drag words into categories. As an example, if our group name was "Guild X of Y", I might make the categories "Words in our group's name" and "Words not in our group's name", then ask them to categorize the words "Guild", "Elephants", "X", "Tree", "Honor", "Plus", and "Ocean". I have about two dozen sets of categories and words configured, and so far it's had a 100% success rate at stopping spammers from registering. It's also made it easier for people to register, since the number of e-mails and other off-forum messages I've received complaining about the difficulty of the CAPTCHA has dropped to 0 while registrations have actually picked up.
Such a system would obviously not work for Google or someone that large, since a spammer would just train the bot to know all of the answers, but for smaller sites, there are plenty of solutions that work just fine, and I'm sure we can find more systems that are simple for a human but complicated for a computer. No need to make something that's so complicated for a human to solve.
Alternatively, go with xkcd's approach to solving the problem of spam.
It's good that there are many different posting/comment systems like phpbb, vbulletin, even Slashdot. The more the merrier, which means the spammer needs to identify each and every one. If there is enough of them it's not worth it. Unfortunately people would opt for off-the-shelf solutions and this popularity/unity makes it more appealing for spammers: implement once, hack many. But a special case is if one site is big enough to take over thousands of small sites, really, this site needs a thousand different captchas in order to be as effective as a thousand small sites with their own captcha.
And for all those suggesting math problems and such like that, you must not have a large userbase. If the userbase was large enough or enough forums use the exact same "captcha" you can count on spammers writing their automated scripts to handle math. I suspect if you were to require people to solve complex math, such as infinite series or complex integrals that possibly could not be interpreted properly by the program that could be figured out by a human, but I suspect a lot of real people will have difficulty to figure them out.
I do like this possible solution that even Slashdot has used for anonymous coward: payload first, captcha later. It's a psychology problem: you already wrote what you want to write, just a little more and it gets posted. Coupled with it being unique helps a long way towards the spam problem. But this doesn't help against automated registration...
Incidentally, the captcha I got for posting this was "ovaries" but I initially misread it as "varies" completely missing the o. #*(@# captcha... :(
Text-oriented CAPTCHA schemes are obsolete, especially as a way to get humans to help with book OCR jobs. If the OCR program can't read it with context, humans probably can't read it out of context. A sizable fraction of book-scan CAPTCHA images aren't even text, let alone words. I've seen ink blots, mathematical formulas, and Cyrillic in what were supposed to be English-language CAPTCHAs.
They have precisely zero security value. Please see, for a brief introduction:
http://phys.org/news/2011-11-stanford-outsmart-captcha-codes.html
http://cintruder.sourceforge.net/
http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/
http://arstechnica.com/security/2008/04/gone-in-60-seconds-spambot-cracks-livehotmail-captcha/
http://www.troyhunt.com/2012/01/breaking-captcha-with-automated-humans.html
among others.
Nobody who actually understands the nature of the threat would even CONSIDER using captchas at this point.
Now...every now and then some poor naive fool stands up and says "But but but...they're working for us." No. They are not. You are simply not worthy of attack...yet. If you ever become a target, because someone has a grudge against you, or because you have an important resource, or merely because someone is bored, then if they are are at least minimally competent attackers, they will go right through your alleged "captcha" defenses without the slightest problem.
CAPTCHA has a *point*. It is to keep bots out. Which, with good CAPTCHA, works very reliably, and more importantly is the ONLY thing that actually decides based on the *correct* measuring point. As opposed to IP address blocks, pattern matching, and other cases of shitty engineering with *way* too high false-positive and false-negative rates.
If you want to post, deal with it and enter the CAPTCHA. Otherwise you can just... you know... no post. That nicely keeps out the dumbfucks too.
My biggest problem with CAPTCHAs is that about 1/2 of the time they're ambiguous.
For example, running the letters together is a common technique, but that makes it impossible to tell the difference between the letter "m" and the letters "rn" together.
They're also twisting letters so badly now that they convert to other letters. For example, it doesn't take much to twist the letter "u" to "v", or to destroy the identifying features of the thin letters ("f", "i", "j", "l", "r", and "t").
I've had cases where I needed to request a new CAPTCHA 4 or 5 times to get one that's not ambiguous. The technology is badly broken now. There's no reason they can't fix these problems, but they deliberately choose not to. A simple fix would be to screen out things like "rn" if they're running the letters together -- but after all these years, it's now clear that they're unwilling to do even these simple fixes to improve the user's experience.
I have a solution. It's called paid services. Services where users have to log in and pay a subscription are much less susceptible to bots than free services. No CAPTCHA for users, less spam for hosts.
Yet somehow I feel most of the slashdot crowd (and internet crowd in general) doesn't sympathize enough with service providers to consider this an acceptable alternative.
These comments are mine; I do not speak for my employer.
Bad guys run some pretty high traffic sites that oddly enough, require captchas. Their client bots forward the real site captcha to the bad-guy site, which delivers it to a human who wants access to the bad-guy site and answers it - which answer is passed back to the bot and submitted to the legitimate site in real time. They also compromise legitimate captcha-secured sites for the same method. It's the Mechanical Turk method of defeating CAPTCHA. Machine learning of text recognition is not required.
Help stamp out iliturcy.
One of the Five Eyes Alliance. No doubt, the 'best' replacement for CAPTCHAs will be a centralized authentication/login authority. Or at least a few large outfits that can be arm twisted into linking everyone's accounts together. Like Google, Microsoft, OpenID, etc. Its just a variation of 'think of the children'. Think of the blind.
No thanks. I'll keep my on-line personas separate.
Have gnu, will travel.
I recently started getting hundreds of spam signups a day on my site. So I installed a CAPTCHA to prevent that. I setup a standard image CAPTCHA with a plugin for the CMS. More then 80% of the spam sign ups just walked right through it. Then I changed the type of CAPTCHA to an ASCII art CAPTCHA. I haven't had a spam sign up since. The ASCII art CAPTCHA is also much easier to read then weird image CAPTCHAs.
Instead of a CAPTCHA, show them two posts and indicate if none of them, one of them, or both of them are spam posts. Behind the scenes, one if a post you know for sure is good or not and one you don't know about.
You can use the responses to rate users (how effective is this user at rating posts, based on how well they do identifying spam?) and posts (how likely is this post to be spam based on what users say about it?). Bad users and bad posts get booted from the system.
The current generation of CAPTCHAs aren't designed to take advantages of the real strengths of the human perception system.
For example, humans are excellent in detecting the patterns in disconnected shapes, and in mentally connecting incomplete lines. Notice that the IBM logo is constructed from 40 completely disconnected lines -- but it's easy to perceive them as letters.
There's a lot of low-hanging fruit here, and the CAPTCHA designers aren't exploiting it. Instead, they just keep flogging their tired old technique of distorting letters and running them together. This is a technology that has seen absolutely no innovation for years. As a result, I'm not surprised to see a new movement to kill it off.
Even now I'm not sure if letters need to be entered as shown ie: some letters are upper case, some lower case.
I'm leaning towards it doesn't matter.
Anyone using a widespread bulletin board software will know that despite hard Caiaphas, spammer accounts are registered like crazy.
I include a small set of questions and answers relative to the interests of those who would visit the board. E.g., for Slashdot:
Complete the following sentence:
[randomly select from sentences]
"TFA" is an acronym meaning "The _______ Article". (7 letters)
Another alias for "Anonymous Coward" is "________ Dweller". (8 letters)
--etc--
Prior to instituting this simple questionnaire there are usually hundreds of spammers a day. Afterwards? None.
This is actually trivial to solve, indeed I don't even use the session token as a seed for creating new mappings between the numeric question ID, and the answers. So, a diligent spammer could simply collect all the questions then add the responses to the bot... Only THEN would I escalate to the code I've already written that does the randomized mappings, after first swapping in a new set of questions / answers.
But why?! Why wouldn't I use the MORE secure way right away? Because I'm not a fool. It has to be worth their time to enter an authentication war with me. Let them waste time writing a bot solver first, then immediately have their work become useless. In fact, this has already happened a few times. It's even rarer for spammers to then continue escalation -- they could just migrate to one of the other boards that is not so hostile, and upon which pre-made automated solvers still work. In fact, I have found good success Starting with only a single question. Replace the selection function:
sub random(){ return 4; } # Return truly random number, selected by fair dice roll.
Then I can simply revert to the randomized set of questions to escalate the spammer's coding and deployment cost. Thus, gaining yet another defense at little cost.
Any heterogeneous environment has what's called a "Single Point of Failure". This is why sex exists. Combinatorials are a simple way to get some randomness without all kinds of unexpected outcomes that rampant mutations in an asexual production would first attempt. Bacteria can use other methods because they've abstracted reproduction from defense: transformation, conjugation, etc. So, the uniform use of SSL, is stupid to put it mildly. It could have been like a bacteria, standardized and abstracted extensible protocol for defensive encryption... It's not though, it's a dumb for including a heterogeneous set of transforms dictated by AES standard. I mean, virtual machines exist; You're using one to decode font glyphs, and Unicode BIDI right now, but not for extensible encryption? How daft. Pervasive use of a brand of Captcha is equally retarding.
How foolish you humans are to not even learn the most basic of Life's Lessons. Diversity is a defense. When you use science to analyze natural selection's method of Trial and Error, Observation of results and Preservation of favorable outcomes... I bet you don't even make the correlation that Nature invented Science billions of years before you rediscovered it... I bet you don't even realize that's a universal truth inherent to any self improving cybernetic system, from DNA life compilers to C compilers. Ugh. Humans: Can't live with 'em; Can't teach 'em to survive.
Vastly superior methods for stopping spam have existed since well before captchas were invented. They still exist today. I've written about them at great length (elsewhere), as have others.
The problem is not that these methods don't exist, or aren't effective, or aren't well-understood; the problem is that people refuse to invest the effort to learn them. Captchas are a cheap, easy way out for those same people, and they take it because they're too lazy to bother actually (gasp!) LEARNING.
But you know what? Let's forget that I have more experience in this area than you could possibly guess. Don't take my word for it. Don't read the references I provided. Instead, why don't you consult the people who make it their business to defeat captchas: the spammers, the phishers, the malware distributors, the bad guys. Go read their mailing lists, their web sites, their message boards. I don't mean just one or two postings: I mean several thousand over several years, so that you can actually begin to get a sense of where they're at. You will find, if you actually do this modest bit of informal research, that they're way past all this. Captchas are merely a dot in their rear-view mirror, fading away into the distance.
I'm neither and they annoy the hell out of me; and those little "validation games" (dump the fish into the bucket, or whatever) are ridiculous time-wasters. I'm also a web developer, so there's that. CAPTCHAs are for lazy web developers to offload the task of anti-bot protection to the user.
Create some dynamic form elements that only display via Javascript DOM and are required by a backend script. Create a per-IP limitation on registrations per 10 minutes. Require a minimum time between form loading and form submission. Require a cookie to submit the form.
The point is: the more variety of anti-bot systems that exist, the less attractive a target there is for bot makers.
Charge $1 for a lifetime membership. (or whatever minimum amount on paypal results in you making more money than paypal)
Each time I swear it was an Aztec chant out of the Necronomicon to raise the evil dead. (And I'm only being partial sarcastic when I say that.)
Did you know 80 to 90% of the moderators on slashdot wouldn't recognize a troll even if one dragged them under a bridge.
/\37R07URF campaign. Most captchas nowaday even included a link for an audio CAPTCHA.
So people who can't see are unable to click a button that plays the word so they can listen to it?
The same people who use screen readers...
What's wrong with putting aria tags on the button, so their screen reader tells them about it?
I run a couple Wordpress sites for people and ran into massive spam problems. Askimet solved many of the comment spams, but not user registration. Eventually found a plug in that inserts random questions like What is the fourth word of the sentence." Or What colour is the sky? That has effectively blocked 99.9% of splog spam.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
Don't you mean bam birty byslexics?
Make a server side script that rotates predefined tags and hiding methods. It would take extra work to create a bot that could cope, time to determine how your system works, and in the meantime you break their code over and over.
If this is such an issue for accessability, how much worse are Flash media, .jpeg'd text messages/media, and AJAX?
None of those technologies lend themselves to text reader applications nor to braille translation.
Nor have I ever seen a Captcha on an actual useful web site -- instead they use little things like manual verification of new accounts, especially things like IBM's developer web sites and my bank account. In fact both my bank account access and my government tax account access required snail mail verification codes for the initial log-in.
Methinks someone over-rates the importance of websites that rely on CAPTCHAs.
I do not fail; I succeed at finding out what does not work.
Capthas solve the wrong problem. Why should a website care if it is a program or a human filling in a form? Why couldn't I have an user agent to automate registration on websites for me if I am not abusing?
This would fail.
The majority of spam comments now are autogenerated with keywords and generic "thanks for this info, I will come back and read again" messages. Your typical user won't recognize this is spam. It's just like using bayseian filters for email spam.
I'm out of my mind right now, but feel free to leave a message.....
DeCaptcher services are dirt cheap and extremely easy to setup for any page that is going to be abused by bots which the majority has DeCaptcher services built in.
A good example would be my account I use with JDownloader has around 330,000 automatic captcha entries left.
Um, no. The computer doesn't have to understand the meaning of a scene in order to render it. Games are rendered a hundred times per second. The GPU doesn't know that's Lara Croft's boobs, it's just polygons.
Vastly superior methods for stopping spam have existed since well before captchas were invented.
They still exist today. I've written about them at great length (elsewhere), as have others.
I guess it's just an oversight on your part, that you didn't include a link, right?
The problem is not that these methods don't exist, or aren't effective, or aren't well-understood; the problem is that people refuse to invest the effort to learn them.
Well, I would love to learn them. Unfortunately, every alternative method I heard about, was either less effective or did simply solve a different problem altogether.
"I must have listened to the Skype audio CAPTCHA 20 times before I gave up and asked my sighted friend to set up my account.."
Skype is a bad decision even for sighted people...
If it's reasonable to kill captcha because it's something that works for many but not for a few, why shouldn't the entire (well, 99.999%) of the web that's inaccessible to the totally blind be banned as well?
Use a visual and audio word problem. You can automate making any number of these in many different forms. Anyone who's done 8th grade math can solve them, but computers would have to actually understand the English, and they'd fail at that due to different wordings, inclusion of unrelated information to confuse the computer but not people, etc.
Like: "Of 100 total children, five times the square root of the number of Mary's children is the number of children Mary has plus six. Five strawberries are on a table next to eight books. Of the 100 children, how many have Mary as a mother?"
Computers won't be able to solve that for a long time (mostly due to the language processing, not the math), but humans can solve it in a few moments.
And where did you provide those references?
Rethinking email
With services like Death By Captcha: http://www.deathbycaptcha.com/ - you don't even need to fully automate (bot) the process. Can simply employ a mechanical turk solution instead. No captcha will ever beat cheap humans.
Captcha solves the wrong problem; who cares if its human vs bot if the action to be performed is undesirable. Better to constrain with hard limits of posts per device in a given time period.
I'm visually disabled and while I agreed sighties often overlook our needs the cold hard truth is that any sort of support for the blind will be leveraged by spammers and bots who seek profit at the site owners expense. Would I love to have better support for mend others like me? Yeah.. but I'm a realist and I know its never going to be a priority for most people because the sighted done care about the blind like me.
- d
I think Joe Cascio's idea of "collateralized identity" looks really interesting here:
http://joecascio.net/joecblog/2013/03/25/collateralized-identity-using-bitcoin-to-suppress-sockpuppets/
The core problem we're really trying to solve with a CAPTCHA is: anonymous identities are very cheap to create. We can require the user to provide and verify an email address, but it turns out those are cheap to create too. What we really need is a way for the user to prove that they have something invested in their identity - be it monetary value, time, cpu cycles, or whatever. A bit like slashdot karma (so you can filter out trolls/spammers using identities with nothing invested in them, which are cheaply created/replaced.)
Bitcoin, if it should ever gain widespread adoption, provides a very convenient mechanism to accomplish this:
1. each bitcoin user already owns pseudonymous unique public identifier (ie. their bitcoin address), which they can provide to any website as a portable identity
2. to prove ownership of this identity the user can sign a challenge from the website using their private key (hey, we just solved the password problem too!)
3. an amount of monetary value (ie. bitcoin) stored at this address, plus the length of time it has been stored there, is publicly visible on the block chain.
This allows the website to assign weight to the identity based on a combination of: the amount of value stored with the identity + the time it has been stored there. An identity that has had $20 stored with it for 3 days is probably not a spammer. An identity that has had $0.20 stored with it for 3 months is also probably not a spammer.
Of course it is easy to generate an unlimited number of such identities - but hard to have a decent amount of value stored with each of them for a decent amount of time. Websites can easily adjust the weighting threshold required to sign up / post comments based on experience with incoming spam. And there's always the ban hammer - which suddenly has some real weight behind it again :)
Important to note:
1. the money (ie. bitcoin) associated with the ID stays under the user's control at all times. The user alone has the private keys required to transfer/spend it any time they like - of course doing so would lower the weight assigned to their identity by any websites that inspect it.
2. the website need not store any authentication information for the user (eg. a password). The user retains control of their private key, and can use it to authenticate without disclosing it to the website.
Too hard for Joe Public to understand? Maybe.
Just imagine this all wrapped up in a friendly browser plugin. When you visit a website there's no login page - your browser has your private keys (perhaps encrypted with a master password, like Firefox's password manager does today) and just automatically authenticates you. Your browser could provide a drop-down "switch identity" widget in the toolbar to let you flip between multiple IDs / generate new ones, which is the only bit visible to the user (they need never hear terms like "private key".)
An "add weight to this identity" option would allow you to add/withdraw funds for any ID. Initially this might look like a bitcoin transfer (confusing for non-technical people), but a private company could easily provide a regular payment gateway on top of this (ie. accepting dollars), making the process no harder than recharging your skype credit.
Adding weight to any identity would be strictly optional, but might eg:
* allow you to skip CAPTCHAs
* allow you to post at +2 on slashdot by default
* generally increase the trust in your identity being genuine all over the web - use your imagination....
--Gareth
What happens once Project Gutenberg runs out of books published before 1923?
Suggestions probably get shut down because the "one corner case" happens to be the subject of the featured article.
Your solution breaks with multiple people in the house who share a phone.
The web is not a visual medium. It is a medium of the HTML DOM, even if your favorite user agent happens to present it visually. Blind people use tools called screen readers that read text in the DOM aloud.
For a captcha for the blind, how about the question "Which sentence makes sense?" and grab a sentence from some out of copyright book or something with four other computer generated ones, that are grammatically correct, but otherwise are nonsensical. Something like:
A. He was a light, slow, and there is a small Saturn -- away from a high flame lying in the life within it.
B. This was not illegal (nothing was illegal, since there were no longer any laws), but if detected it was reasonably certain that it would be punished by death, or at least by twenty-five years in a forced-labour camp.
C. Its neck was a novel entitled "Kaleidoscope Vision," which is hat crinkle were like fresh glass domain key
D. He was shrill the world was a greenish drink at me that leads to allow the cold water
Read the (7 letter word starting with F) article: I must be lousy at counting today because "featured" looks like it has eight letters.
Okay they could pad with something random instead of zero. But a little more involved program could simply read the image in memory, go thru the JPEG fields, and remove all that is "padding". Et voila. You can again compare the number of zero.
A more involved solution would probably be to add additional distortion in the original image which would be invisible in the eye, thus forcing the compression alogirthm to build a longer file for the original, but that would be far more involved and probably could be broken other ways.
TROLL WARNING! (Read the user name.)
If you want to troll, Arrogant-Bastard, then at least don't be so *shitty*. My grandma eats "trollings" like that for breakfast.
___
He's probably 13, judging from his statements like "I have more experience in this area than you could possibly guess". That's the last time I used "arguments" like that. Especially after talking about "methods", yet conveniently not mentioning a single one of those. Just like the "references" he "provided".
Also: Several thousand posts over several years... sorry, but that's not a person living a successful life, but a loser in his underpants, posting flames from his mother's basement. Ain't nobody got time for that!
I am vision impaired & *had* a hard time with captchas.
Until I remembered that in firefox, ctrl+ zooms.
When I run into a captcha, I hit ctl+ a few times, fill out the captcha & submit.
Then I hit ctrl- a few times to get it back to the appropriate size. Yes, I know about ctrl0, but I already run most pages a little zoomed.
Every single person I have shown this to, vision impaired or not, no longer has a problem with captchas...
pass it on!
There's a missing comment upthread which included half a dozen or so links (including one back to Slashdot) about projects that have quite, quite effectively demonstrated that captchas are worthless.
Of course anyone of even modest intelligence would be capable of doing their own homework and searching the web for things like "captchas defeated", then reading what they find. It's old news (years-old, in fact) by now, so there's plenty to read about. But then again, nobody of modest intelligence would even consider using captchas: that's the province of the lazy, the stupid, the ignorant, the worthless.
Here, I'll get you started: https://freedom-to-tinker.com/blog/felten/cheap-captcha-solving-changes-security-game/
That's one of MANY. You should be able to find some of the rest in a few moments without further assistance from me.
No, not a troll, just very aggravated that this conversation is apparently necessary. The lack of cognitive and research skiils among defenders of captchas is appalling; how can ANYONE be so amazingly ignorant as to not recognize that the only captchas that haven't been thoroughly defeated are those that aren't worth defeating -- because what they "defend" is so pitiful that not even spammers care about it?
As to your incorrect speculation on my background: I go back to ARPAnet days, kid. So I've earned the right to be a little snotty from time to time when faced with the kind of monumental ignorance on display in this discussion.
But you know what? If you want to blindly persist with your pathetic captchas and your laughable belief that they have any value at all: go right ahead. Just keep holding up tissue paper in front of a tank and hoping it'll work. I'm sure that'll work out just great for you.
Computers can solve some of these more easily than humans can. We can stop pretending we're still better than machines at optical character recognition.
no.. this is about blind people complaining that audio captchas are too hard.
you know why they complain? they haven't had to deal with a bunch of impossible visual captchas.
slashdot is one of the few sites with reasonable captchas.
There's more than just that involved.
A certain nameless site for a very popular product has color captchas. I desperately needed support, but could not register because it used a color captcha which rendered very poorly at my screen resolution and used colors that strained my less-than-perfect color vision.
And the maddening thing about it was was that I already had seen plenty of spam posted to the forums. The spammers had presumably simply hired cheap labor to defeat the captchas manually.
I always wondered - we build an Internet to transfer files, so who cares if a person does it or not? Why have CAPTCHA at all? If people want to automate file transfers, let them. We've built out an Internet that cripples itself at every turn. File download services cripple their bandwidth, and then cripple themselves with wait times between downloads, and make people type CAPTCHAs.
aren't they also being used for reading old texts where OCR failed? I think these are the ones where there's 2 panels? it's a hidden positive of using them.
because what they "defend" is so pitiful that not even spammers care about it?
You say that like it's a bad thing. I have a small, technical, professional special interest forum. It seems to be of value to the users given that they keep posting, but is "pitiful" according to you. The readership is not big.
Initially it got overrun by the massive bulk spamming operations. I put in a captcha. Now the economies don't work out for targeting a small forum like that.
Great! Captchas worked!
So I've earned the right to be a little snotty from time to time when faced with the kind of monumental ignorance on display in this discussion.
Yet you are the one being monumentally ignorant by assuming that anything worth protecting but not worth attacking is "pitiful". You seem to be ignorant of the whole world of small special interests out there that are valuable to the members but will never be big.
I am fully aware that captcha's are not very strong security. Neither is the lock on my front door. But I guess my house is "pitiful" since I don't have the crown jewels locked up inside.
SJW n. One who posts facts.
Instead of complaining for it's removal, they should instead implement an alternative to systems like re-captcha, such as a world wide phone verification system and their expense and provide it free to webmasters. Otherwise free solutions like re-captcha will remain dominant.
Change is certain; progress is not obligatory.
All you have to do is ask a simple question: "Are you a robot?" with radio buttons for "yes," or "no." Bots can't lie if you ask them if they're a machine. I know because an undercover cop told me.
I've seen quite a number of CAPTCHAs that were so distorted they were completely impossible to deduce any actual Latin characters out of them at all. (Or the occasional CAPTCHA that actually very clearly had characters that were *not* Latin characters. Those are fun.)
I've found the best way to get rid of spambots without wonky captchas, is to have a free-form textbox field that requires the person trying to create an account to answer a simple question. For smaller sites, it can even be a static question like "what's the answer to this question: 5+6 = ?". For larger sites it can make sense to have a rotating or frequently-updated question about the site itself, something a spammer, even a non-bot spammer, wouldn't know without researching, but that someone who came to the site because they were interested in the subject would.
The approach will fail if the context is important (autogenerated text) and if the comments are too long (user won't bother to read til the end).
Hello... I have at times just gave up trying to GUESS what the hell I was suppose to type. This program is way over the top to protect Webmasters!
So, have some of the racists idiots with zero tech skills, and too much time on their hands, posted to this thread yet? I've already seen two stories - I think the last was on Beezos buying the post, that had a long, incoherent rant by some asshole, with nothing to do with anything other than their desire to masturbate in public.
mark
The best and most simpler solution to stop all registration bot spam is make your registration double optin. If the bot cannot click a link in a confirmation email then the registration never succeeds. Even harder would be make the link in the email unclickable and make them copy and paste it into the browser to complete the registration. That is mission accomplished.
so it's better to have to register an account with some shoddy "identity manager" (facebook, google, disc0, etc..) ...." - "okay, cool, thx bro!"
and tell them that you're posting a new comment EVERYTIME?!!
-
go to any website (newspaper in dodgy country maybe?) call up "identify manager" first:"hey guys, i'm going
to post some stuff on this website, would you please confirm my identify to them please?" - "sure no problem, let me just make
a quick entry in our history of ALL your posts in OUR (three letter agency shared) database
-
hating captchas makes you a three letter friend.
pinky brown blue
What about us people with only one hand available at the time. We hate captcha too!
Actually seriously so many websites should design for this its a big useability issue.
stopbotters.com im using it on a few of my websites, however Im also using the picture puzzle capture which is easier than text. These 2 systems combined i have yet to have any spam or bots sign up.
Keycapture is free for their basic https://www.keycaptcha.com
StopBotters.com is a javascript file that connects to a database that searchs various variables such as for example, Time taken to register if detected faster then allotted changeable time ban as bot, Editing of hidden fields, Ip, Email, lookup to verify if they match any spams that been detected in the past and ban them.
Fairly nice system.
and start knocking on doors
I thought the Watch Tower Bible and Tract Society had the patent on this. :p
Also make it harder for you to solve CAPTCHAs. And there's nothing worse than CAPTCHAs on mobile.
AI understands logic much better than the captcha problem, and has for 50 years. Early LISP and later PROLOG solved these problems well. Modern computers can expand search spaces that are much larger now.
I personally recall a site that replaced captcha strings with basic calculus problems. An MIT student wrote a LISP program to solve these in the late 1960's, before I was born.