Slashdot Mirror
Campaign To Kill CAPTCHA Kicks Off
Bismillah writes "CAPTCHA may be popular with webmasters and others running different sites, but it's a source of annoyance to blind and partially sighted people — and dyslexic people and older ones — who often end up being locked out of important websites as they can't read wonky, obfuscated letters any more than spambots can. A campaign in Australia has started to rid sites of CAPTCHA to improve accessibility for everyone."
Makes it useful.
from automated submissions?
If the campaign was taken over by bots?
"W3C has suggested other techniques such as logic puzzles, limited-use accounts and non-interactive checks to prevent abuse such as fraudulent account creation and spamming."
Its going to be far harder to make an AI that can create a decent logic puzzle as well as make it accessible and hard for computers to solve than it it to make an image and warp it a bit. I think any such puzzle will probably be worse than the audio captcha button.
Yes it is stupid. I understand that spam is a problem, but if you run a website, it's *YOUR* problem. CAPTCHAs make it *MY* problem and that's just stupid.
there isnt a single thing that everyone will like or approve of.
let's say you change it do you have to answer a simple addition math problem. what you get is someone crying, "i have to answer 5+8?! but i dunno maths you insensitive clod!"
you know that person really exists.
Anons need not reply. Questions end with a question mark.
OCR has advanced to the point it is now possible to beat it 99.99% of the time no matter how difficult to decipher -- which has a side effect of making even real humans have trouble reading the CAPTCHA. Not willing to shell out for quality OCR? No problem, Amazon's Mechanical Turk provides you all the tools you need to get people to read the CAPTCHAs for you and the spam goes on. Don't feel like spending any money at all? No big deal, many CAPTCHA services are easily bypassed. (Let's not get into the ethics of certain companies using CAPTCHA solutions for third-party websites as unpaid labor.)
This was an early-00s temporary solution to a permanent problem better solved via other means.
Not sure is this is already super well known, but only 1 word is actually used for verification. In this example you could type "thrand " and pass it. The verification word always looks similar in font/size to 'thrand'. Oh, and the other word I believe is a scan from a book and if you *do* type it in, it will help the digital scan of the book actually pin point what word it is.
You were critically hit for no damage. The bruise will look nice, and maybe the scars will make good party talk.
there are already several types of captcha nowadays that are newer and much easier to use. one of the ones ive seen is one with a company logo and you have to type out the company name. another is one where you have to makea pizza with specific toppings. another one is where you have to draw an image. captchas are necessary... the problem is that they have become too ridiculously difficult instead of making it easy to use for normal ppl.
A stoned person types his password into a CAPTCHA field.
"Wrong? Ah man, I know that's my password."
CAPTCHA will be around as long as it is the best way to stop programatic submissions.
CAPTCH sucks for sighted people as well, not just the visually impaired.
As long as we have need for tools to discern software from people, something like CAPTCHA will exist. And so far we haven't developed anything that only humans can do, but computers can't.
I'm out of my mind right now, but feel free to leave a message.....
Another "service" Goggle capitalizes on, for free.
It makes me want to cry when I think of how many catchas I've typed...
If taking a couple seconds to answer a CAPTCHA is too much effort, I probably don't really care what you have to say in the comment section.
I understand that spam is a problem, but if you run a website, it's *YOUR* problem. CAPTCHAs make it *MY* problem and that's just stupid.
If the website you use is overrun by spam to the point of being unusable, then it's your problem as well.
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
As someone that runs a website, without CAPTCHAs I'd be fucked.
There are bots that can automatically register on a site, then check the email account for the activation link, in order to start spamming, so that's not a solution.
The newer 'flash games' e.g. 'out of 5 objects, put the drinks in the cooler' are an interesting solution, but that probably still won't work for people with accessibility issues.
Moderation can work on sites like slashdot, but on lower traffic sites not so much, and the signal to noise ratio will be awful.
If Australia pass this and actually clamp down on 'offenders' it will do more harm than good as the only recourse webmasters will have is to not allow people to register/interact with the site as the cost of cleaning up spam will be too high.
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
Offloading some of the responsibility to you as a human co-processor is an effective tactic called Share The Pain. It's not stupid, it's genius. You just don't favor the end result. You can always vote with your mouse and go to another website.
"Love heals scars love left." -- Henry Rollins
I will create a single sign on service where you pay $1 to sign up. If someone reports you as a spam bot, you will be disabled until you pay me another $1. I will take the money and give a small percentage to some charities (EFF probably) and keep the rest as server and administration costs.
If people want to spam or create fake accounts, it will cost them a lot more than just having some guy answer 1000 Captchas for a buck. I could track where I get the money from to locate the spammer's accounts.
Passwords, with no two sites accepting the same format. CAPTCHAs, which often as not even normally sighted people can't read without difficulty. Security questions which are either inane or represent their own special security risk.
God almighty, can't we come up with something to replace all of these?
Three Squirrels
Mission Accomplished.
Annoyance to older people who were used to buying their overseas Viagra from forum spambots.
Captcha fulfills a need - it is, as the name implies, a test to completely automatically tell computers and humans apart. It's necessary to keep spambots from registering accounts and spamming the hell out of us. Granted, the "type this wobbly word" may not be the most practical (nor safe) solution. It's easy enough to come up with alternatives- Perhaps show four photographs and ask the user to click on the one that doesn't belong (maybe the kitten out of a picture of 4 cats). Coming up with good ideas? Much harder. Complain about it all you like. Come back if you have a better alternative.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
Apparently blind people are unaware of all the spam postings clogging porno web sites without it.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
If taking a couple seconds to answer a CAPTCHA is too much effort, I probably don't really care what you have to say in the comment section.
Or a couple of minutes considering most capchas are illegible.
I'm a good cook. I'm a fantastic eater. - Steven Brust
Tell that to my 46-y.o. eyes that can barely decipher these increasingly difficult eye puzzles, and I have a computer engineering degree. Think about others, will you?
Steve Magruder, Metro Foodist
This kind of thing shouldn't be hard at all. You don't need complicated logic puzzles or any such thing. You just need something that's hard for a computer to figure out, but easy for a human.
For instance, render a 3D scene and ask a question about perspective. "What is the person holding in her right hand?" "What is the person looking at?" and similar such questions. Trivial to render. Hard to figure out, because it's far beyond simple image recognition: you have to see and interpret what's going on in the scene. It doesn't have to be confusing or hard at all. (And rendering is super cheap these days.)
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
Why would they want to recommend an alternative? If they're like me, they don't want nor need an alternative. It's the companies using them that want these systems. The users really don't care how much botcrap the server takes in.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
there are a few websites I want to access but cannot because their CAPTCHA is unreadable. Some of them are just way too complicated to read. I use it on my own blog but it is simple enough so you can get it the first time. It would be nice if there was some other way to prevent bots.
... the Feedback page for TFA blog has a CAPTCHA.
It must have been something you assimilated. . . .
It is possible to train an algorithm to recognize CAPTCHA, even if the success rate isn't 100%, it is high enough to enable bots to register on websites with CAPTCHA. So, Australia is only pushing people to find out better solutions than CAPTCHA. In short term, a large amount of spammers will rely on optical recognition algorithms to decipher CAPTCHA anyway.
Achille Talon
Hop!
Well they did give an alternative...
...but how do they sign up for that email account?
"According to Hollier, a better way for everyone would be the use of emails to activate and verify users, instead of CAPTCHA"
Indeed, they seem to be pissing and moaning about inconvenience without really grasping the problem being solved, as evidenced by this gem:
"With time sensitive things like concerts, this can mean I miss out on the tickets as the transaction times out," Hollier said.
As opposed to everyone missing out as a bot buys all the tickets.
There are plenty of other technical measures available these days. Captchas are unnecessary.
Steve Magruder, Metro Foodist
The campaign support page already has 17 billion supporters!
Well they did give an alternative...
"According to Hollier, a better way for everyone would be the use of emails to activate and verify users, instead of CAPTCHA"
Yea, suppose I could have clarified by adding "alternatives that aren't worse than what they're replacing," but I figured that was a given.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Get rid of them and replace with simple maths question:
http://farm3.static.flickr.com/2174/2268237733_cda4a1dbb3.jpg?v=0
Why would they want to recommend an alternative?
Because otherwise they come off as a bunch of whiny narcissists who should be summarily ignored? That's my take, anyway.
The users really don't care how much botcrap the server takes in.
On the one hand, lol and touche.
On the other, they'll start to care when the botcrap makes the server unreachable to them; at which point they'll just start pissing and moaning again, and the cycle begins anew.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Yes it is stupid. I understand that spam is a problem, but if you run a website, it's *YOUR* problem. CAPTCHAs make it *MY* problem and that's just stupid.
You assume the website needs you more than you need it. For the standard commercial "wall of ads with some random content between" site, sure, what you say holds true
For a lot of smaller interest-group-themed sites, usually run by a handful of non-IT-gurus, put bluntly you need them more than they need you, and they don't have a full-time body around to read through all new posts to purge the spam.
Now, personally, I prefer the "math word problem" style CAPTCHAs - Because not only do they not discriminate against the blind or the old, they effectively keep out the spam and the stupid. Win-win!
We have AI units that are equivalent to 4 year old kids. How much longer until they can defeat standard CAPTCHA systems?
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
CAPTCHA may be popular with with webmasters and others running different sites, but it's a source of annoyance to blind and partially sighted people — and dyslexic people and older ones — who often end up being locked out of important websites as they can't read wonky, obfuscated letters
CAPTCHAs tend to have an audio button where a string of numbers is read off to you.
Even Slashdot has a "mp3" button that reads the letters on the CAPTCHA off to you.
Doesn't that already help all the above people with issues listed here?
(Except possibly the "older ones", who may have hearing issues too.)
What do I know, I'm just an idiot, right?
Care to elaborate?
I was about to tell you to take advantage of the audio alternative offered by many services, then I went and tried a reCAPTCHA audio test to make sure I knew what I was talking about.
I apologise for even considering telling you to use those.
If taking a couple seconds to answer a CAPTCHA is too much effort, I probably don't really care what you have to say in the comment section.
Or a couple of minutes considering most capchas are illegible.
This!
More and more, captchas take two or three attempts.
(Disclaimer: IMHO, I'm not senile, dyslexic, a horrible typist. blind. Your opinion may vary).
I suspect some sites are intentionally forcing a fail once or twice, at least occasionally, especially when you enter the word
in a timely interval. Bots probably give up after two failures, and they probably answer quickly.
So implementers make it more and more restrictive and throw in bogus failures.
Sig Battery depleted. Reverting to safe mode.
Because we all know computers are terrible at doing arithmetic and solving simple equations
i've been using minteye on my site. it's a visual captcha, works pretty well. you move a slider back and forth to unscramble an image.
I've become convinced that the purpose of captcha is to punish regular users. I strongly suspect that spambots merely push the re-captcha link until they get a pattern that's easier to parse.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Any solution that uses images fails. You need to account for blind people. Hidden form fields are the answer! Don't require people to do anything extra!
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
I've been developing websites over 10 years and have never needed a captcha system.
This is how I always go about it:
1) Include a form input element labelled as something common, like a telephone number but on a registration form that would never actually require a telephone number. Hide the parent div using CSS in an external CSS file. When the form is submit, check to see if the element is filled out. If it is, simply display a message that you think their registration may be automated and to try again. If it continues, please contact us by other means (phone, email, etc) and we will help them through it.
2) Time the registration from the time the page is loaded to the time it is submit, if its less than 10 seconds, do the same as above, simply display a message saying you think their registration is automated and to try again, etc.
When used in conjunction I feel I've cut out 99.9999% of spam or false registrations. The timing method has to be done server side and stored in a session, and is fairly involved so not easy to do properly if you are new to web development. There is also the issue of someone hitting the back button to try again after a failed submission (if you don't use client-side validation), and them submitting from a cached page, but can be worked around if you know what you are doing.
Obviously its not bullet proof, and if the CSS file doesn't load then someone would see the extra form element. But its a small price to pay for effective protection.
Anyone else have other methods they use?
It is possible to train an algorithm to recognize CAPTCHA, even if the success rate isn't 100%, it is high enough to enable bots to register on websites with CAPTCHA. So, Australia is only pushing people to find out better solutions than CAPTCHA. In short term, a large amount of spammers will rely on optical recognition algorithms to decipher CAPTCHA anyway.
True, but I think the OPs point is those smart bots are not that frequently encountered. We know it can be beat, but in everyday life it is still not common to encounter such bots, and even when you do, you end up blocking 98% of the bots.
As those bots become more common, captcha will become less and less useful. Its a self solving problem that probably doesn't need any help from government, because government will invariably impose something more stupid and useless.
Sig Battery depleted. Reverting to safe mode.
One time registration is one thing -- I can just punch the re-captcha until I get something I can read. (But if I can do that, couldn't a bot do it too?)
It's the sites that require captcha for each login that really chaps my ass. Yeah, I'd vote for it to go away.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Not if you employed other technical measures. Search around a bit and you'll find captchas are unnecessary.
In all sincerity, can you post some links? I'll even take an insulting "lmgtfy" that end up with some good results.
I hate captchas, but all the other methods I have seen and tried (hidden form elements, javascript checks, etc.) all break down in one place or another.
I'd be curious about what "technical measures" you are talking about. There are some "universal IDs" that help to filter out some of the spam, but it still can slip through in a way that Captchas help prevent. There is also something philosophically wrong with trusting in some huge 3rd party vendor like Facebook, Microsoft, or Google to be processing authentication on your website, not to mention concerns about the NSA tracking everybody who is logging into your website as well.
Again, I'd be curious about what technical measures you are talking about.
I'm not a fan of CAPTCHAs, but your statement makes no more sense that declaring passwords bad because it is the websites problem, not yours.
Looking forward to not needing to look for the "Long S" character on my keyboard anymore http://blog.ambor.com/2013/07/an-unexpected-risk-of-using-re-captcha.html - I'm always worried that my employer is filtering on words like goatfucker when I mean to write goat(Long-S)ucker.
The easy thing for you to do would be to simply detect if the user is in Australia, and simply ban them from your website.
If this law passes, and most websites just refuse to serve Australians, then the fault, blame, whinging and recriminations can lie solely with the law and the people who created/passed said law.
What might work would be a pseudo-anonymous service:
Company "A" demands some personal info, validates it, chucks it, and makes a master certificate on your private key. You can then have other private keys (as many as you want) certified, each completely separate from the others, and the only connection is company A's certificate. Company "A" can even charge a small fee, say 25 cents for each key certified, and an initial fee of $1.
Then, the website could ask for you to just copy, sign, and paste some random text with your key. Then, the website checks if your key is validated with company "A", and grants/denies access.
If the website noticed that they are getting spam from someone with the key, they notify company "A" about it, and they revoke all keys owned by that user. This prevents any new accounts from being made, although current ones are left intact.
Of course, there would have to be degrees of separation, so that the user info that is validated never leaks to the throwaway keys used for each site, and there are some tuning items such as what constitutes validated, and what to charge. It isn't 100%, but it can be used.
Of course, another solution is requiring clients to have a client cert from a known good CA (and making sure the cert is a paid one, not a temporary, 30 day.)
More bitching. Got a better idea to prevent bots from signing up?
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
i've been using minteye on my site. it's a visual captcha, works pretty well. you move a slider back and forth to unscramble an image.
I never heard of it, and upon googling it, their own website wouldn't couldn't get pass my no-script. So right there, a significant and growing number of customers would be turned away.
But, I wonder of that would remain effective, after all, bots already exist to recognize letters in images. (Those bots existed before captcha). So as soon as Minteye becomes popular it will be bot-stormed.
I've also seen the word games, these are fairly unique as well. But I'm not sure they couldn't be attacked as soon as they become popular. It almost seems that obscurity is the best we have these days.
Sig Battery depleted. Reverting to safe mode.
Twilio. Facebook Connect. Twitter @Anywhere. OAuth. OpenID.
I wasn't posting that, but it is kinda obvious what some better ideas are.
B) Eliminate all the stupid users. This is frowned upon by society.
The "which of these pictures is a kitty" or the question "what is 1+1=?" are superior. The distorted text is irritating.
And as to the deaf... most CAPTCHA's will offer a "press to speak" feature.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Hey, don't get me wrong, I generally agree with you on this. Unlike Anon, you properly read the tone of my previous post as indicated by your reaction.
This group is, in fact, a bunch of whiny narcissists who will be ignored. And I'm fine with them being such.
As far as the when they'll start to care bit, you're right about that too. But we are, of course, dealing with narcissists. I can't come up with any good reason to really care if they're happy or not. These are the people who will demand to know why they can't embed media files on a forum that disallows it, and then whine and try to take their ball and go home when they don't get special permissions to do so. And then be back a month later, still pissed off and wondering why nobody wants to be their friend anymore.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
The solution is not to make it harder for spammers to post. The solution is to murder spammers after they post.
If taking a couple seconds to answer a CAPTCHA is too much effort, I probably don't really care what you have to say in the comment section.
It's not longer just a couple of seconds when one has to hit the reload button a dozen or so times before they get a CAPTCHA that's remotely readable.
And half the sites bit-bucket at least some of the data you've entered just as further punishment. So you have to type that in again.
Show me the captcha before I enter any data please. That alone would confuse half the bots out there. (For a while).
Sig Battery depleted. Reverting to safe mode.
How do you propose working around the following problem:
Someone named "stewsters" is spamming me. Please disable his account.
To an extent, you're right in that it's the website operators who want to use systems like the CAPTCHA. But the primary reason for using such a system is so that users can access the website quickly, and without wading through a tranche of spam to get to what they want to read.
The companies and website operators who use technologies like CAPTCHA didn't suddenly decide they would implement them, just to annoy their users. They are there for a reason and if we as users want rid of them, then we should absolutely be in favour of better alternatives.
Backup not found: (A)bort (R)etry (P)anic
Mozilla Persona http://www.persona.org/ is the new best one -- not tied to any corp, but without the usability problems of openid
People seem to forget that the term "CAPTCHA" (Completely Automated Public Turing test to tell Computers and Humans Apart) applies to a much broader set of tests than just those obfuscated text-based things that most of us loathe. Banning CAPTCHAs is a silly notion that would adversely affect every site currently using them, as they become swarmed by spammers. Instead of banning them, they should be asking people to use sane, simple CAPTCHAs.
For instance, on a forum I run for a group in a game, I use a form of CAPTCHA that has people drag words into categories. As an example, if our group name was "Guild X of Y", I might make the categories "Words in our group's name" and "Words not in our group's name", then ask them to categorize the words "Guild", "Elephants", "X", "Tree", "Honor", "Plus", and "Ocean". I have about two dozen sets of categories and words configured, and so far it's had a 100% success rate at stopping spammers from registering. It's also made it easier for people to register, since the number of e-mails and other off-forum messages I've received complaining about the difficulty of the CAPTCHA has dropped to 0 while registrations have actually picked up.
Such a system would obviously not work for Google or someone that large, since a spammer would just train the bot to know all of the answers, but for smaller sites, there are plenty of solutions that work just fine, and I'm sure we can find more systems that are simple for a human but complicated for a computer. No need to make something that's so complicated for a human to solve.
Alternatively, go with xkcd's approach to solving the problem of spam.
The NSA and its friends already track who logs into your website (or at least the IPs that do) so I wouldn't worry about that one too much.
One technical measure that has been floated recently is the idea of using Bitcoin. What you do is provably sacrifice some bitcoins to miner fees, thus creating a kind of anonymous passport. That proof of sacrifice has public keys embedded in it to which you own the private keys, and it was provably expensive to create. So the idea is that you sign up with your passport and then if you misbehave, it can get added to a blacklist kind of like how Spamhaus blacklists IP addresses. Now you can set the cost of abuse to a precise degree. Good users only have to pay once and can use the same passport for years. Abusers find their business models are unprofitable.
Unfortunately the software and protocols for that aren't implemented yet.
Text-oriented CAPTCHA schemes are obsolete, especially as a way to get humans to help with book OCR jobs. If the OCR program can't read it with context, humans probably can't read it out of context. A sizable fraction of book-scan CAPTCHA images aren't even text, let alone words. I've seen ink blots, mathematical formulas, and Cyrillic in what were supposed to be English-language CAPTCHAs.
Yep. But at least for a while, people dying on the operating table will happen, because even if people were perfect and never made any mistakes, we simply don't know how to prevent such occurrences completely.
I don't think you'll find people claiming that CAPTCHAs are a good solution to the problem, but without stating a position on the matter (I'd have to see some hard evidence) it seems to be not completely unreasonable to say that that they're better than the alternatives.
Let's go back to the OR table. Suppose that you have a condition that has a 90% chance of being fatal sometime in the next year. We can operate, but the operation has a 10% of fatal complications. Should you say "Operating has a 10% chance of a negative outcome. I'm not gonna do it. Figure out something better?" and wait around until we do?
Not if you employed other technical measures. Search around a bit and you'll find captchas are unnecessary.
You keep saying this, and you continue to not provide any citations. Just because you say it is so does not make it so.
I run a web forum that is attacked every single minute of every single day by spambots from China, Russia, India, and Pakistan. Captchas are one of several technical countermeasures I use to keep from being overrun with spam -- and by overrun, I mean really, seriously overrun. Forum spam is incredibly prolific.
Each of the technical countermeasures stops some of the spam. Dropping captchas from the mix would allow far too much spam to get through. And yes, I've closely examined the contribution of each countermeasure.
People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
Twilio. Facebook Connect. Twitter @Anywhere. OAuth. OpenID. I wasn't posting that, but it is kinda obvious what some better ideas are.
So on a business site, you would require a user to log in with an account from another site/system before they could contact you to show interest, request a quote, etc.?
I understand for web forums, etc, but my issue is contact forms on business sites. Most users don't want to share their facebook or twitter accounts and haven't heard of most of the other options.
I did see another post about combining the hidden form element technique with a short submission timer that looked interesting though.
If what presents itself as only the most barely notable disability in day to day life excludes me from your consideration as thoughtful well spoken adult due to a single special circumstance, I don't care too much about your comments either.
Minteye was very thoroughly broken.
http://translate.google.com/translate?sl=ru&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&eotf=1&u=http%3A%2F%2Fhabrahabr.ru%2Fpost%2F167359%2F&act=url
Essentially, the guy realized that jpeg pictures with distortions should have a completely different size than the undistorted picture. But all pictures delivered by minteye were of identical length. He figured they were padding the files with zeros, and he was right. By counting the number of zeros at the end of the file, the local maxima/minima was the correct file. He wrote a few lines of javascript, and it was broke.
John
This is not a negotiation. Nor would I want it to be. I'm fine with a better alternative being presented, but these users are the last ones I want to see present it.
You seem to assume I'm siding with the group. I'm not, really. I'm just saying that they want to be rid of captcha, and that's fine. When it becomes not fine is when the companies fail to respond to user issues with the current system.
Seriously, we can do better than Capcha, and I bet the guy who comes up with that idea is going to rake in a lot of cash, not tack it for free to a petition.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
How many blind people are there who use the Internet without assistance?
I know blind people, and people who have very poor eyesight. Most of them are older. When I talk to them about computers, they're not interested. One woman with macular degeneration tried a screen reader, and didn't like it. (That's $10,000 worth of equipment sitting in her closet.)
Back in the days of COBOL, there were a lot of training programs to teach programming to blind people. And there were a lot of successful blind programmers. There were braille printers. Then came Windows, and it got a lot harder for them to read the screens....
There are laws that require organizations that serve the public to provide reasonable accommodations to the handicapped. I support those laws. A lot of people have problems with hearing or vision. A lot of people can't climb stairs.
The question is, "What's reasonable"? If this were a widespread problem, and a million blind people can't read CAPTCHAs well enough to use Skype, that's a big problem and we might have to throw out CAPTCHAs. If it's just a dozen blind techies, maybe we could work out some simpler solution.
It's a cost/benefit question. What's the scope of the problem?
Because we all know computers are terrible at doing arithmetic and solving simple equations
But they are. It's out of context, and it's much harder to make programs that are flexible like that. They're bringing a regular expression to an arithmetic party.
"Little does he know, but there is no 'I' in 'Idiot'!"
So you push the bot detection problem onto a third party. But when they are overrun, the smarter bot operators won't spam the identification sites. So these service providers will never have good statistics on which measures work and which don't.
Have gnu, will travel.
Also, because emails are completely impossible to process automatically and not as trivial as adding "*:|spambot.pl" to the aliases file.
I have a solution. It's called paid services. Services where users have to log in and pay a subscription are much less susceptible to bots than free services. No CAPTCHA for users, less spam for hosts.
Yet somehow I feel most of the slashdot crowd (and internet crowd in general) doesn't sympathize enough with service providers to consider this an acceptable alternative.
These comments are mine; I do not speak for my employer.
Or a couple of minutes considering most capchas are illegible.
Hear hear! Captchas were fine when they started but lately they do this weird wavy thing. I have to hit reload a few times before I get one where I can make out all the letters... and my vision is just fine.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Facebook Connect is not a "better" idea.
You can hold down the "B" button for continuous firing.
Agreed, my systems (combined) are hit every 3 seconds by spammers and hackers.
While people may hate Captcha, webmasters do as well, until we have something that works at least as good, it stays, along with my other levels of fighting spam. It's imperfect, troublesome, and a hassle at times, but it's still one of the more effective anti-spam systems out.
And no, I will not let you login from Twitter or Facebook or any other junk, that opens up a whole new host of issues.
Looks like it's a flash-based captcha that applies a simple transformation to an advertisement. So, it forces your users to stare at your ads. It's got a huge flaw -- a human might need to decode each ad once to train a bot to decode every instance of that ad. Minteye will work until the point that it gets even a little popular. It would take a competent programmer with experience in image processing an afternoon to break this.
Bad guys run some pretty high traffic sites that oddly enough, require captchas. Their client bots forward the real site captcha to the bad-guy site, which delivers it to a human who wants access to the bad-guy site and answers it - which answer is passed back to the bot and submitted to the legitimate site in real time. They also compromise legitimate captcha-secured sites for the same method. It's the Mechanical Turk method of defeating CAPTCHA. Machine learning of text recognition is not required.
Help stamp out iliturcy.
Facebook Connect. Twitter @Anywhere.
Just no.
Filthy, filthy copyrapists!
Agreed. I've found asking a question like "What is five plus seventeen?" is much more effective at keeping spambots out than any standard CAPTCHA.
One of the Five Eyes Alliance. No doubt, the 'best' replacement for CAPTCHAs will be a centralized authentication/login authority. Or at least a few large outfits that can be arm twisted into linking everyone's accounts together. Like Google, Microsoft, OpenID, etc. Its just a variation of 'think of the children'. Think of the blind.
No thanks. I'll keep my on-line personas separate.
Have gnu, will travel.
I recently started getting hundreds of spam signups a day on my site. So I installed a CAPTCHA to prevent that. I setup a standard image CAPTCHA with a plugin for the CMS. More then 80% of the spam sign ups just walked right through it. Then I changed the type of CAPTCHA to an ASCII art CAPTCHA. I haven't had a spam sign up since. The ASCII art CAPTCHA is also much easier to read then weird image CAPTCHAs.
Instead of a CAPTCHA, show them two posts and indicate if none of them, one of them, or both of them are spam posts. Behind the scenes, one if a post you know for sure is good or not and one you don't know about.
You can use the responses to rate users (how effective is this user at rating posts, based on how well they do identifying spam?) and posts (how likely is this post to be spam based on what users say about it?). Bad users and bad posts get booted from the system.
I bow to you, because to my simple brain many captcha's these days are a PITA. Enough of a PITA that I'll say fuck-it half the time and a website just lost a potential subscriber/user.
I can't say I like the idea of having to buy into something I don't trust to get the privelege of using certain websites.
LOL I have to submit a Captcha code to post this to Slashdot, I love the irony!
How is that ironic?
Even now I'm not sure if letters need to be entered as shown ie: some letters are upper case, some lower case.
I'm leaning towards it doesn't matter.
These are only first impressions, but it looks ridiculously easy to solve automatically.
First of all the warp angle jumps significantly more before and after the "correct" image than between other images, so a fairly simple block tracking algorithm would have a very good chance of identifying the correct image:
[image]
You don't have to get exactly the right image - one or two either side and you're okay.
Secondly, the warped images are significantly less sharp than the correct image - in a purely mathematical sense, too, which means it'd be simple for a computer to identify the correct image (confirmed with high pass filters and histograms).
But it's actually a lot simpler than that, as plover has posted here.
What you've got there is CAPTCHA through obscurity, nothing more.
systemd is Roko's Basilisk.
Those are not effective solutions. At best, you'd be shifting the problem slightly, and those services present other problems.
Actually, my mistake; what you've got is a company selling adverts through your site that users are forced to look at.
systemd is Roko's Basilisk.
I moderate on a blog about autism. It uses captcha fairly heavily. Adding catpcha has done exactly NOTHING to reduce the 20 new users a day and the three or four who post spam.
It does go in waves. And from the language used, I've got to think it's Eastern European/Asian mainly. But boy is it prolific, and apparently captcha is worthless for stopping it.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Anyone using a widespread bulletin board software will know that despite hard Caiaphas, spammer accounts are registered like crazy.
I include a small set of questions and answers relative to the interests of those who would visit the board. E.g., for Slashdot:
Complete the following sentence:
[randomly select from sentences]
"TFA" is an acronym meaning "The _______ Article". (7 letters)
Another alias for "Anonymous Coward" is "________ Dweller". (8 letters)
--etc--
Prior to instituting this simple questionnaire there are usually hundreds of spammers a day. Afterwards? None.
This is actually trivial to solve, indeed I don't even use the session token as a seed for creating new mappings between the numeric question ID, and the answers. So, a diligent spammer could simply collect all the questions then add the responses to the bot... Only THEN would I escalate to the code I've already written that does the randomized mappings, after first swapping in a new set of questions / answers.
But why?! Why wouldn't I use the MORE secure way right away? Because I'm not a fool. It has to be worth their time to enter an authentication war with me. Let them waste time writing a bot solver first, then immediately have their work become useless. In fact, this has already happened a few times. It's even rarer for spammers to then continue escalation -- they could just migrate to one of the other boards that is not so hostile, and upon which pre-made automated solvers still work. In fact, I have found good success Starting with only a single question. Replace the selection function:
sub random(){ return 4; } # Return truly random number, selected by fair dice roll.
Then I can simply revert to the randomized set of questions to escalate the spammer's coding and deployment cost. Thus, gaining yet another defense at little cost.
Any heterogeneous environment has what's called a "Single Point of Failure". This is why sex exists. Combinatorials are a simple way to get some randomness without all kinds of unexpected outcomes that rampant mutations in an asexual production would first attempt. Bacteria can use other methods because they've abstracted reproduction from defense: transformation, conjugation, etc. So, the uniform use of SSL, is stupid to put it mildly. It could have been like a bacteria, standardized and abstracted extensible protocol for defensive encryption... It's not though, it's a dumb for including a heterogeneous set of transforms dictated by AES standard. I mean, virtual machines exist; You're using one to decode font glyphs, and Unicode BIDI right now, but not for extensible encryption? How daft. Pervasive use of a brand of Captcha is equally retarding.
How foolish you humans are to not even learn the most basic of Life's Lessons. Diversity is a defense. When you use science to analyze natural selection's method of Trial and Error, Observation of results and Preservation of favorable outcomes... I bet you don't even make the correlation that Nature invented Science billions of years before you rediscovered it... I bet you don't even realize that's a universal truth inherent to any self improving cybernetic system, from DNA life compilers to C compilers. Ugh. Humans: Can't live with 'em; Can't teach 'em to survive.
Adding rel="nofollow" to any links provided by your untrusted commenters is a good start. It's a promise that Google and other search engines won't do any indexing or page ranking based on the href in the same tag.
Spammers have a pretty common M.O. They sign up with an account and use their spam link as their "home page". They then pollute the blog. The obvious spam is repeated variations on the same topic, and looks like "brand name products, products brand name, brand products name, ..."
Lately, link spam is done with a flattering but generic message that looks like it came from a non-native speaker: "I thanking you for your keen insight, have you other similar articles online? I would like to know more how you come to know this." An unwary site operator will often mistake the flattery for a conversation, and allow the spammer to remain a user. (The flattery is script-generated, by the way.) Their "home page" is often a dummy "news portal", which is just replaying whatever feeds they can get. The trick is this news portal has lots of links to the sites the SEO is trying to push.
While rel="nofollow" will render their efforts to associate their spam with a legitimate blog completely wasted, there are two negatives. First, unless the spammer knows it's there, they're going to spam you anyway. Second, it takes away your contribution of "linkiness" for your legitimate users' links to Google's pagerank algorithm. You can fix this with extra work like "probationary" and "full" users, but then you're taking on the task of rating your readers, which may be Sisyphean on a site the size of Slashdot.
John
I still think for small topic-based blogs, a set of whitelisted words works the best. If a post doesn't contain any of the whitelisted words, it's spam.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
I'm neither and they annoy the hell out of me; and those little "validation games" (dump the fish into the bucket, or whatever) are ridiculous time-wasters. I'm also a web developer, so there's that. CAPTCHAs are for lazy web developers to offload the task of anti-bot protection to the user.
Create some dynamic form elements that only display via Javascript DOM and are required by a backend script. Create a per-IP limitation on registrations per 10 minutes. Require a minimum time between form loading and form submission. Require a cookie to submit the form.
The point is: the more variety of anti-bot systems that exist, the less attractive a target there is for bot makers.
Each time I swear it was an Aztec chant out of the Necronomicon to raise the evil dead. (And I'm only being partial sarcastic when I say that.)
Did you know 80 to 90% of the moderators on slashdot wouldn't recognize a troll even if one dragged them under a bridge.
There's an obvious measure: don't allow untrusted users to provide links at all, and sanitize their data (server side) to mangle any protocol headers from their text, like adding a space before any text matching ://, so the results become http :// , https ://, or mailto ://. No search engine will try to follow those. You are already santitizing your inputs to restrict users from posting bad stuff like javascript, right? This is just one more thing to check.
You could even get cute using javascript in the browser to flag the text in red if they try to type a URL so they might know in advance they will get nowhere.
Then, to reward the faithful, you can have a karma system that permits voted-up users to post valid links (like stackoverflow). Or you can have an admin manually grant them "good user standing". Either way, your spammer is either contributing real value to your site (which is great) or they've gone away (which is great.)
John
Because it's an unusual approach. If it were adopted en masse it would become the biggest target, and you'd see bots that were able to parse simple math problems from natural language and compute the answer. That isn't a thoroughly hard problem, and may even be amenable to hand-coding the set of cases for different wording the generating system is programmed to use.
don't you think they fixed it? it sounds trivial to fix.
/\37R07URF campaign. Most captchas nowaday even included a link for an audio CAPTCHA.
no, you can choose among three options: 1) they show ads, 2) you show your own photos (which could be ads for your producs, lolcats, or whatever, 3) they show generic photos, flowers in this case. so some of the criticisms on this thread are valid, but the adversing one isn't an issue.
If you actually read the links you posted, you would know that apart from the ‘just hire humans’ approach, only 1 worked with Recaptcha and that problem has since been fixed. That article also makes it apparent that simple difficulty increases need not-so-simple AI increases to be overcome.
And hiring humans isn't popular, probably because the response rate for Viagra spam is so low that even a tenth of a cent per captcha is simply too expensive.
So people who can't see are unable to click a button that plays the word so they can listen to it?
The same people who use screen readers...
What's wrong with putting aria tags on the button, so their screen reader tells them about it?
i said below - adverts are just one option. you can also show your own images (plugs for your own products, lolcats, whatever, or have them show generic images like flowers. i agree about potential for breaking - sounds like a cat and mouse game where they keep refining their photo algorithms.
i'm not surprised their site would fail, but the captcha itself doesn't fail when put on other sites.
Show me the captcha before I enter any data please. That alone would confuse half the bots out there. (For a while).
Show me a simple Calculus problem or Trigonometric identity to solve in regular text, instead of a single word all muced up. It would be easier to solve
This tehnique won't work for long: https://www.google.com/search?q=five+plus+seventeen
There are bots that can automatically register on a site, then check the email account for the activation link, in order to start spamming, so that's not a solution.
You e-mail them an encrypted PDF or encrypted Word .DOCX file. With an instruction to visit the link; when they visit the link, they are prompted to double check their phone number -- a call is placed using VoIP technology, and an agent speaks out the secret code required to open the PDF or MS Word file.
The DOC file when opened contains "Unique directions"; for example a link to click on
Then a phrase such as "Four score and seven years ago"
Instructions: Please type the digits of all spelled out numbers in the above and then subtract the square root of 16 from them. Type in twice the value calculated.
Remove every 2nd word from the above phrase, then make the next to last letter of each word capital and remove trailing vowels. Add a trailing punctuation mark and lowercase the first word.
I run a couple Wordpress sites for people and ran into massive spam problems. Askimet solved many of the comment spams, but not user registration. Eventually found a plug in that inserts random questions like What is the fourth word of the sentence." Or What colour is the sky? That has effectively blocked 99.9% of splog spam.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
The only alternative to this that I see is for a central ID system which independently verifies you are an actual person. Trouble is this has some rather severe implications for privacy, in addition to being a central point of failure.
In either case, spam isn't going away anytime soon now that spambots are operating out of the Tor network.
Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
But they are. It's out of context, and it's much harder to make programs that are flexible like that. They're bringing a regular expression to an arithmetic party.
It's not necessarily trivial, but it is definitely a lot easier than an image recognition or image CAPTCHA solving problem.
Regular expressions are great for parsing and normalizing.
s/seven/7/ s/minus/ - / ....
It does go in waves. And from the language used, I've got to think it's Eastern European/Asian mainly. But boy is it prolific, and apparently captcha is worthless for stopping it.
It's probably called: human help in solving the captchas. Captchas eliminate lots of spam --- the automated stuff, not the stuff that has human help behind it.
I wouldn't judge it 'worthless' until you've experimented with shutting the CAPTCHAs on and off many times at different randomly selected sampling intervals -- gathered the data, and found; no effect on the rate of spammers signing up.
If the site is designed for those of us who have been through semi-advanced maths and if the spambot had no ability to perform basic calculations sure.
Ultimately I agree that it would be easier for you or I to solve than trying to decipher the Sumerian cuneiform that most CAPTCHAs pass off as text...in practice, however, I think this would alienate about 90% of the target audience while making it easier for bots to decipher and bypass.
I support those laws.
Ditto. Hovever installing a ramp does not mean you are not allowed to have a staircase. I seriously doubt introducing a law that technically handicaps web site owners is the best way to help blind people access the web.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Show me the captcha before I enter any data please.
Yes! God yes! I've walked away from a few sites that expected me to re-enter a whack of data because the CAPTCHA borfed. Including some where I had intended to spend money.
It always seemed stunningly obvious that you carry over the form contents in situations like this.
Three Squirrels
That is what pisses me off the most about it. You have to struggle *after* you have already made some effort to enter information.
However, they know it very well too that if they show you the captcha *before* you enter any data, most people will just give up right away, because they haven't invested anything yet.
May Peace Prevail On Earth
Likewise. If it looks like it might be worth my time to get to the content of a site, I might make two, maybe even three attempts. More than that, and I'll abandon the site and add it to my hosts file never to be visited again.
An authentication tool that is easier for computers to solve than for humans isn't of much use. Especially when the user is being made to feel like he is being punished for visiting the webpage.
If this is such an issue for accessability, how much worse are Flash media, .jpeg'd text messages/media, and AJAX?
None of those technologies lend themselves to text reader applications nor to braille translation.
Nor have I ever seen a Captcha on an actual useful web site -- instead they use little things like manual verification of new accounts, especially things like IBM's developer web sites and my bank account. In fact both my bank account access and my government tax account access required snail mail verification codes for the initial log-in.
Methinks someone over-rates the importance of websites that rely on CAPTCHAs.
I do not fail; I succeed at finding out what does not work.
I like it. I hadn't done any quality research, but it is nice to see work done toward making a non-corporate and easier option.
B) Eliminate all the stupid users. This is frowned upon by society.
I prefer to use one or two accounts to having to create a new one for every site I go to, yes. I prefer to trust one or two well designed systems rather than every half-baked cowboy coder, yes. I think that most people don't care much what system they use and are more likely to trust twitter than john's-favorite-blog system. They're also more likely to remember a password to a couple of sites they regularly use than use a complex system to generate new ones for each of the dozen ones they otherwise.
Plus, with most of those options, I don't have to process a CAPTCHA each time.
B) Eliminate all the stupid users. This is frowned upon by society.
They move the authentication process to a few providers rather than hundreds. The few used are more likely to be secure and less likely to need complex authentication each time.
B) Eliminate all the stupid users. This is frowned upon by society.
This would fail.
The majority of spam comments now are autogenerated with keywords and generic "thanks for this info, I will come back and read again" messages. Your typical user won't recognize this is spam. It's just like using bayseian filters for email spam.
I'm out of my mind right now, but feel free to leave a message.....
Remembering a couple passwords and using an authentication they already have is more effort? I don't get how you come to that conclusion. They address the problem of having to create a new ID and prove humanness via CAPTCHA, which is rather the point of the discussion.
B) Eliminate all the stupid users. This is frowned upon by society.
Um, no. The computer doesn't have to understand the meaning of a scene in order to render it. Games are rendered a hundred times per second. The GPU doesn't know that's Lara Croft's boobs, it's just polygons.
pad it with random instead of zeros?
signature is pants
Vastly superior methods for stopping spam have existed since well before captchas were invented.
They still exist today. I've written about them at great length (elsewhere), as have others.
I guess it's just an oversight on your part, that you didn't include a link, right?
The problem is not that these methods don't exist, or aren't effective, or aren't well-understood; the problem is that people refuse to invest the effort to learn them.
Well, I would love to learn them. Unfortunately, every alternative method I heard about, was either less effective or did simply solve a different problem altogether.
An anedocte: I had a website which the only page which is accessible for a non logged user is the user request page.
I got a lot of user requests with bizarre usernames. Denied them all. But I started getting 10-20 per day, and increasing. That only stopped when I put a captcha on that page.
-- --
If it's reasonable to kill captcha because it's something that works for many but not for a few, why shouldn't the entire (well, 99.999%) of the web that's inaccessible to the totally blind be banned as well?
purging the spam comments isn't even half the problem. I recently set up a site for a small hobby group here using Joomla with K2. As they only had a few members and were migrating people from a facebook group to their site, they didn't really feel the need for a lot of things, like captchas on the blog comments. 2 months after we set it up, I get a panicked text about how it isn't working and the hoster had shut down their site. After getting access to site, I found there were hundreds of thousands of blog comments which had basically been posted at once by some spam bot.
Captchas enabled, no problem since. Screw blind people. If they want a site to even use, they'll just have to deal with it. not that I think they'd be much for a bike club..but I could be wrong..
And where did you provide those references?
Rethinking email
Quite right.
While some visual captchas can be quite obnoxious, audio captchas (at least the ones I ended up trying) are truly evil.
Good thing blind people tend to develop much better hearing. They're really going to need it on those audio captchas.
...but how do they sign up for that email account?
Via your mobile phone number, Gmail has been doing that for a while for new accounts.
I'm visually disabled and while I agreed sighties often overlook our needs the cold hard truth is that any sort of support for the blind will be leveraged by spammers and bots who seek profit at the site owners expense. Would I love to have better support for mend others like me? Yeah.. but I'm a realist and I know its never going to be a priority for most people because the sighted done care about the blind like me.
- d
I think Joe Cascio's idea of "collateralized identity" looks really interesting here:
http://joecascio.net/joecblog/2013/03/25/collateralized-identity-using-bitcoin-to-suppress-sockpuppets/
The core problem we're really trying to solve with a CAPTCHA is: anonymous identities are very cheap to create. We can require the user to provide and verify an email address, but it turns out those are cheap to create too. What we really need is a way for the user to prove that they have something invested in their identity - be it monetary value, time, cpu cycles, or whatever. A bit like slashdot karma (so you can filter out trolls/spammers using identities with nothing invested in them, which are cheaply created/replaced.)
Bitcoin, if it should ever gain widespread adoption, provides a very convenient mechanism to accomplish this:
1. each bitcoin user already owns pseudonymous unique public identifier (ie. their bitcoin address), which they can provide to any website as a portable identity
2. to prove ownership of this identity the user can sign a challenge from the website using their private key (hey, we just solved the password problem too!)
3. an amount of monetary value (ie. bitcoin) stored at this address, plus the length of time it has been stored there, is publicly visible on the block chain.
This allows the website to assign weight to the identity based on a combination of: the amount of value stored with the identity + the time it has been stored there. An identity that has had $20 stored with it for 3 days is probably not a spammer. An identity that has had $0.20 stored with it for 3 months is also probably not a spammer.
Of course it is easy to generate an unlimited number of such identities - but hard to have a decent amount of value stored with each of them for a decent amount of time. Websites can easily adjust the weighting threshold required to sign up / post comments based on experience with incoming spam. And there's always the ban hammer - which suddenly has some real weight behind it again :)
Important to note:
1. the money (ie. bitcoin) associated with the ID stays under the user's control at all times. The user alone has the private keys required to transfer/spend it any time they like - of course doing so would lower the weight assigned to their identity by any websites that inspect it.
2. the website need not store any authentication information for the user (eg. a password). The user retains control of their private key, and can use it to authenticate without disclosing it to the website.
Too hard for Joe Public to understand? Maybe.
Just imagine this all wrapped up in a friendly browser plugin. When you visit a website there's no login page - your browser has your private keys (perhaps encrypted with a master password, like Firefox's password manager does today) and just automatically authenticates you. Your browser could provide a drop-down "switch identity" widget in the toolbar to let you flip between multiple IDs / generate new ones, which is the only bit visible to the user (they need never hear terms like "private key".)
An "add weight to this identity" option would allow you to add/withdraw funds for any ID. Initially this might look like a bitcoin transfer (confusing for non-technical people), but a private company could easily provide a regular payment gateway on top of this (ie. accepting dollars), making the process no harder than recharging your skype credit.
Adding weight to any identity would be strictly optional, but might eg:
* allow you to skip CAPTCHAs
* allow you to post at +2 on slashdot by default
* generally increase the trust in your identity being genuine all over the web - use your imagination....
--Gareth
fine.. run your own site, or go somewhere else.
You could start off with your common-or-garden variety spam filter and increase the linguistic sophistication for your defences from there ...
C'mon, given the technology that exists to spy on you everyday, CAPTCHAs are a really dumb way to deal with this problem. I mean, if we can land a man on the moon ... oh yeah we can't any more, forgot.
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
What happens once Project Gutenberg runs out of books published before 1923?
Suggestions probably get shut down because the "one corner case" happens to be the subject of the featured article.
Your solution breaks with multiple people in the house who share a phone.
The web is not a visual medium. It is a medium of the HTML DOM, even if your favorite user agent happens to present it visually. Blind people use tools called screen readers that read text in the DOM aloud.
For a captcha for the blind, how about the question "Which sentence makes sense?" and grab a sentence from some out of copyright book or something with four other computer generated ones, that are grammatically correct, but otherwise are nonsensical. Something like:
A. He was a light, slow, and there is a small Saturn -- away from a high flame lying in the life within it.
B. This was not illegal (nothing was illegal, since there were no longer any laws), but if detected it was reasonably certain that it would be punished by death, or at least by twenty-five years in a forced-labour camp.
C. Its neck was a novel entitled "Kaleidoscope Vision," which is hat crinkle were like fresh glass domain key
D. He was shrill the world was a greenish drink at me that leads to allow the cold water
Read the (7 letter word starting with F) article: I must be lousy at counting today because "featured" looks like it has eight letters.
I have no mod points so I must say that if everyone had that same reflex you just displayed, of checking ones assumptions when it's trivial to do so, humanity would be conquering the universe at this point.
As a moderator on a Popular Australian bonsai website, Without captcha we wod be screwed. the amount of spam whil having it on is bad enough, We had it turned off for a while and got hammered!
We actually use multiple methods, and we still get spam!
the only answer would be to shoot every spammer!
True, but that is likely to be the same for any widely adopted solution. The best protection is probably just to have a question that is fairly unique and yet has a well defined or known answer.
They move the authentication process to a few providers rather than hundreds. The few used are more likely to be secure and less likely to need complex authentication each time.
Or: They move the authentication process to a few providers rather than hundreds. The few used are more likely to be heavilly targetted by spammers and less likely to do the required job.
Authentication and determining trust (i.e. determining whether the "user" can be trusted not to spam) are two separate problems that are perpetually bundled together inappropriately. IMHO they need to be separated:
The authentication service provider needs to be someone the user trusts - when I go to some-random-blog.com and have to authenticate to leave a comment, the blog can contact my authentication server to find out who I am. The blog doesn't need to know how my authentication server is authenticating me (could be a password, or kerberos, or whatever), all the blog needs is confirmation from the auth server that I really am who I say I am. So I can log in with "me@example.com", the blog makes a DNS SRV lookup on example.com to find the auth server, does a challenge/response handshake with the auth server that proves that the auth server has determined that I really am me@example.com. The authentication server can be run by myself, my ISP, my email provider, facebook (if I were insane), whoever - the important thing is that the authentication provider is someone I trust and no one else gets my actual authentication credentials. This immediately massively reduces the threat of leaked passwords, etc. since I'm not having to hand my passwords out to random people I don't trust.
The "trust provider" (i.e. the service provider that determines whether or not I'm a spammer) needs to be someone the blog owner trusts - it could be run by the blog owner themselves, or some third party (google, etc.). All it does is some verification that my ID (me@example.com in the example above) is used by a human. The blog asks the trust provider for verification, the trust provider says "this ID doesn't belong to a spammer" and the blog allows me to post. I guess some kind of feedback mechanism would be good so the blog owner can inform the trust provider if I start spamming.
This even provides some level of anonymity - I can have multiple IDs all backed by the same authentication credentials at the same server if I want, and it could be arranged so the blog itself never even sees my ID, only the trust provider actually needs to see it. And if I *really* trust my authentication service (i.e. if I run it myself) then I only need one set of authentication credentials in order to log into anything - whether that be slashdot or my bank - because no one except my auth service actually ever gets trusted to see those credentials.
http://blog.nexusuk.org
If the site you like does get spammed, then it is your problem.
More Spam = more expensive site to run = need for more income = more adds smarter adds ones that go around add blocks.
I am all for ending capatachas however what are the alternatives?
Please I would like more discussion on good alternatives, then just busting on an old attempt that works OK.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I am vision impaired & *had* a hard time with captchas.
Until I remembered that in firefox, ctrl+ zooms.
When I run into a captcha, I hit ctl+ a few times, fill out the captcha & submit.
Then I hit ctrl- a few times to get it back to the appropriate size. Yes, I know about ctrl0, but I already run most pages a little zoomed.
Every single person I have shown this to, vision impaired or not, no longer has a problem with captchas...
pass it on!
I think this would alienate about 90% of the target audience while making it easier for bots to decipher and bypass.
We need to ask 4 or 5 questions, and allow the visitor to "Choose which question to answer"
Please answer three of the following, and leave the rest blank:
Captchas are a regrettable first line of defense to keep the remaining spam manageable. You really need multiple defenses to keep the conniving bastards out.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
There's a missing comment upthread which included half a dozen or so links (including one back to Slashdot) about projects that have quite, quite effectively demonstrated that captchas are worthless.
Of course anyone of even modest intelligence would be capable of doing their own homework and searching the web for things like "captchas defeated", then reading what they find. It's old news (years-old, in fact) by now, so there's plenty to read about. But then again, nobody of modest intelligence would even consider using captchas: that's the province of the lazy, the stupid, the ignorant, the worthless.
Here, I'll get you started: https://freedom-to-tinker.com/blog/felten/cheap-captcha-solving-changes-security-game/
That's one of MANY. You should be able to find some of the rest in a few moments without further assistance from me.
No, not a troll, just very aggravated that this conversation is apparently necessary. The lack of cognitive and research skiils among defenders of captchas is appalling; how can ANYONE be so amazingly ignorant as to not recognize that the only captchas that haven't been thoroughly defeated are those that aren't worth defeating -- because what they "defend" is so pitiful that not even spammers care about it?
As to your incorrect speculation on my background: I go back to ARPAnet days, kid. So I've earned the right to be a little snotty from time to time when faced with the kind of monumental ignorance on display in this discussion.
But you know what? If you want to blindly persist with your pathetic captchas and your laughable belief that they have any value at all: go right ahead. Just keep holding up tissue paper in front of a tank and hoping it'll work. I'm sure that'll work out just great for you.
Computers can solve some of these more easily than humans can. We can stop pretending we're still better than machines at optical character recognition.
That isn't a thoroughly hard problem
Solve it, then.
From apples three, bright and red, Billy ate the first and bled - A razor had a witch hid there. One drop, two drops, three drops, more! And gazing down at the evil barb, he reflected on the primary causes of World War II. Drip. On the Pythagorean theorem, drip. On shoes and ships and sealing wax, drip drip drip. On the price of a first class stamp. On dasher and dancer and oh, the agony. He noted the blood, ignored the rest, what is six times 9 less pi? Then he died. Alone. In the rain.
Go ahead. I'll give you another when you have a program that can parse that one correctly.
You can automate one part of that, though - Any IP that answers 50.858, you simply auto-ban as a spambot.
no.. this is about blind people complaining that audio captchas are too hard.
you know why they complain? they haven't had to deal with a bunch of impossible visual captchas.
slashdot is one of the few sites with reasonable captchas.
There's more than just that involved.
A certain nameless site for a very popular product has color captchas. I desperately needed support, but could not register because it used a color captcha which rendered very poorly at my screen resolution and used colors that strained my less-than-perfect color vision.
And the maddening thing about it was was that I already had seen plenty of spam posted to the forums. The spammers had presumably simply hired cheap labor to defeat the captchas manually.
They've gotten too good. I cannot read them!
No. They are not. You are simply not worthy of attack
Once you climb down from your exceptionally high horse, you will realise that that is the very definition of working.
The *VAST* majority of spam is commercial spam. They routinely scour the entire internet looking for insecure forums and dump massive quantities of spam onto them. You don't have to tilt the economics very far in your favour before you're not worth the money to target.
I run a small, special interest professional forum. The first time I tried to put it up, it was unusable. Captchas made it usable.
And you're trying to tell me that it didn't work.
hey will go right through your alleged "captcha" defenses without the slightest problem.
And? Most places have a weak lock on the front door. A targeted attack would go through in seconds. That doesn't mean that the lock and door do not prevent the vast, vast majority of opportunists.
SJW n. One who posts facts.
spam would be your problem as well, as it would make many pages/sites unusable. while i do find some captchas annoying, i find spammers a thousand times more annoying. i wish them painful death, maybe by suffocating in sleep and waking up too late. or something.
Rich
because what they "defend" is so pitiful that not even spammers care about it?
You say that like it's a bad thing. I have a small, technical, professional special interest forum. It seems to be of value to the users given that they keep posting, but is "pitiful" according to you. The readership is not big.
Initially it got overrun by the massive bulk spamming operations. I put in a captcha. Now the economies don't work out for targeting a small forum like that.
Great! Captchas worked!
So I've earned the right to be a little snotty from time to time when faced with the kind of monumental ignorance on display in this discussion.
Yet you are the one being monumentally ignorant by assuming that anything worth protecting but not worth attacking is "pitiful". You seem to be ignorant of the whole world of small special interests out there that are valuable to the members but will never be big.
I am fully aware that captcha's are not very strong security. Neither is the lock on my front door. But I guess my house is "pitiful" since I don't have the crown jewels locked up inside.
SJW n. One who posts facts.
don't you think they fixed it? it sounds trivial to fix.
Their website's examples are still zero-padded, so it seems not.
systemd is Roko's Basilisk.
It's still trivial to break: https://gist.github.com/Glyxbaer/4564489
systemd is Roko's Basilisk.
If taking a couple seconds to answer a CAPTCHA is too much effort, I probably don't really care what you have to say in the comment section.
If you can't take a couple of seconds to skim through the summary and discover that it's not just about time, it's about accessibility, then I don't care about your opinion either.
Instead of complaining for it's removal, they should instead implement an alternative to systems like re-captcha, such as a world wide phone verification system and their expense and provide it free to webmasters. Otherwise free solutions like re-captcha will remain dominant.
Change is certain; progress is not obligatory.
All you have to do is ask a simple question: "Are you a robot?" with radio buttons for "yes," or "no." Bots can't lie if you ask them if they're a machine. I know because an undercover cop told me.
Two problems:
1) People are lazy and don't want to know.
2) People can't figure out how to get Bitcoins - See 1.
Change is certain; progress is not obligatory.
That implies that spammers are unconcerned whether or not their spam is effective. They're concerned about the ease of spamming.
Which makes perfect sense if you're farming out the task of spamming to cheap labor or to robots - the laborers will follow your instructions, it's not their job to analyze whether or not it's working. So you could warn the users all you want that their spamming will not be effective, but the spammers are not even going to read it, and will pollute your site anyway.
That further implies that even a weak captcha would be enough to stop robots and low-paid laborers. And a friend of mine offers anecdotal evidence that it helps. He added a check box to his site: "check here if you are not a spammer [ ]". It reduced some of the automated spam. But he still reads and approves all comments before they're posted, as there is still spam.
What about a script that produced randomized simplistic captchas: "Human test: two plus three equals [ ] four [ ] five [ ] six" "Please answer this question - three added to three is [ ] six [ ] seven [ ] eight". Vary the wording, vary the answers, vary the correct answer position, vary the position of the question on your sign up screen, and randomize the field name. It will stop robots until someone specifically targets your site.
Better, don't vary anything until you need to. Let the spammers do the work first of adapting to you. They might ignore your site unless you're really worth it to them as a target. Then vary one thing, and see if they "chase" you with a round of fixes. If they continually adapt their robots, (or pay for smarter laborers), then you need to do something else. If not, you've saved yourself a lot of work, and you still have fewer spammers.
John
I've seen quite a number of CAPTCHAs that were so distorted they were completely impossible to deduce any actual Latin characters out of them at all. (Or the occasional CAPTCHA that actually very clearly had characters that were *not* Latin characters. Those are fun.)
I've found the best way to get rid of spambots without wonky captchas, is to have a free-form textbox field that requires the person trying to create an account to answer a simple question. For smaller sites, it can even be a static question like "what's the answer to this question: 5+6 = ?". For larger sites it can make sense to have a rotating or frequently-updated question about the site itself, something a spammer, even a non-bot spammer, wouldn't know without researching, but that someone who came to the site because they were interested in the subject would.
Perhaps you would need to have a certified account to report people. When you get decertified it will tell you what account banned you.
I would just make that stewsters guy (who obviously is a spammer) pay again to re-enable his account and take even more money. He would then report whoever reported him, producing a chain of cash that will only be broken when the spammer or the reporters are out of money. I would hope there are more people interested in removing spammers than there are spammers willing to pay money. Eventually, the spammers will realize that they have wasted to much cash and that the system is too costly to spam. Then I take that money, give a significant portion of it to charity, and use the rest to buy a sweet Maserati.
Its no more of a scam than ssl certificate authorities. Well, maybe a bit, but not much more of a scam.
If taking a couple seconds to answer a CAPTCHA is too much effort, I probably don't really care what you have to say in the comment section.
Or a couple of minutes considering most capchas are illegible.
This!
More and more, captchas take two or three attempts.
(Disclaimer: IMHO, I'm not senile, dyslexic, a horrible typist. blind. Your opinion may vary).
I suspect some sites are intentionally forcing a fail once or twice, at least occasionally, especially when you enter the word
in a timely interval. Bots probably give up after two failures, and they probably answer quickly.
So implementers make it more and more restrictive and throw in bogus failures.
I have a 13 inch diagnal laptop screen, and a 22 inch desktop screen, and theses distorted captchas are the pits. If they could be as good as the ones from /. I would not mind them. But for some site, the programmer, if you get the captcha wrong, wipes all your input.
Regarding multiple entries, "yahoo.com" always forces me to enter the password twice. That is at least better than clearing the form and starting from the beginning
Leslie Satenstein Montreal Quebec Canada
So, have some of the racists idiots with zero tech skills, and too much time on their hands, posted to this thread yet? I've already seen two stories - I think the last was on Beezos buying the post, that had a long, incoherent rant by some asshole, with nothing to do with anything other than their desire to masturbate in public.
mark
The best and most simpler solution to stop all registration bot spam is make your registration double optin. If the bot cannot click a link in a confirmation email then the registration never succeeds. Even harder would be make the link in the email unclickable and make them copy and paste it into the browser to complete the registration. That is mission accomplished.
You did what? You know what you are talking about? You know you are on /. right?
The new right fascists are bilingual. They speak English and Bullshit.
You have to look at the intention of the law. In the US the percentage of legally blind people is 0.03%. People with disabilities should just accept that there are things that they wont be able to do. I know that isn't very PC and I will get hate for saying i. Shit someone has to don't they?. This is about forcing people to register their real identity when the first log on and that data being available everywhere they go online automatically. It is to make anonymity online as close to impossible as they can.
The new right fascists are bilingual. They speak English and Bullshit.
I wish /. had an edit feature. At least until I had had my second cup of coffee.
The new right fascists are bilingual. They speak English and Bullshit.
What's wrong with the audio option that is offered by every CAPTCHA service *I* know of?
Including the one that /. uses for AC posts.
THINK! It's patriotic
Per image, it's a one-dimensional search space. If you expect a human to solve it, they have to be able to know if they're moving in the right direction once they get close. That means an binary search (probably 10-ary) will do the job. This problem is computationally trivial. If this gets used on a single interesting site or a large number of uninteresting sites (e.g. wordpress or phpBB), you'll soon be spending more time making keys than you would spend filtering spam.
IIf this gets used on a single interesting site or a large number of uninteresting sites (e.g. wordpress or phpBB)
Ooooh BURNNN on Wordpress!
The Ryan Air site now makes you watch an advertisement before viewing their CAPTCHA.
and start knocking on doors
I thought the Watch Tower Bible and Tract Society had the patent on this. :p
Also make it harder for you to solve CAPTCHAs. And there's nothing worse than CAPTCHAs on mobile.
So, scaring users away with wall of text and (more) complex instructions (than usual) while making it easy for the bots
No... only a few questions need to be asked. There are already a lot of questions on a signup form.
- they only have to know answer to few questions and refresh the page until three of those come up.
What makes you think they can refresh the page and get more questions?
I would limit signups to 1 signup per IP address per 2 hours, and use a hash of a timestamp with a 60 minute resolution concatenated with their IP address to uniquely select questions.
If they refresh the page; they will get the same questions.
+1000 !
I am an intelligent person (probably like most people here), and also extremely observant by anyone's standards, and I find that the majority of the time, at least one character of the captcha is so hard to read that I have a 50% chance at best of getting it right.
We have NLP that can parse sentence structure from syntax/grammar, and there's only one question in the entirety of what you posted. Hell, for that specific example I could isolate the relevant bit with a regex looking vaguely like /.*[,\.]([\w\d ]+\?).*/ (and yes, I know that would be defeated by scattering random question marks around the place, but I still think it's damning for your approach).
Besides that, I'll give you a dollar if you can put up a site that uses that system without the response from the registering public being "WTF how is log in formed?"
and there's only one question in the entirety of what you posted
Then I suppose you have, accidentally, shown my proposal as too complex - Because the "one question" counts as a red herring and gives you the wrong answer (thus my final statement of auto-banning anything that answers 50.858).
FWIW, the real "question" appeared as "He noted the blood, ignored the rest".