Slashdot Mirror
Campaign To Kill CAPTCHA Kicks Off
Bismillah writes "CAPTCHA may be popular with webmasters and others running different sites, but it's a source of annoyance to blind and partially sighted people — and dyslexic people and older ones — who often end up being locked out of important websites as they can't read wonky, obfuscated letters any more than spambots can. A campaign in Australia has started to rid sites of CAPTCHA to improve accessibility for everyone."
If the campaign was taken over by bots?
Yes it is stupid. I understand that spam is a problem, but if you run a website, it's *YOUR* problem. CAPTCHAs make it *MY* problem and that's just stupid.
I often need three stiff drinks just to be able to read the things.
If taking a couple seconds to answer a CAPTCHA is too much effort, I probably don't really care what you have to say in the comment section.
I understand that spam is a problem, but if you run a website, it's *YOUR* problem. CAPTCHAs make it *MY* problem and that's just stupid.
If the website you use is overrun by spam to the point of being unusable, then it's your problem as well.
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
As someone that runs a website, without CAPTCHAs I'd be fucked.
There are bots that can automatically register on a site, then check the email account for the activation link, in order to start spamming, so that's not a solution.
The newer 'flash games' e.g. 'out of 5 objects, put the drinks in the cooler' are an interesting solution, but that probably still won't work for people with accessibility issues.
Moderation can work on sites like slashdot, but on lower traffic sites not so much, and the signal to noise ratio will be awful.
If Australia pass this and actually clamp down on 'offenders' it will do more harm than good as the only recourse webmasters will have is to not allow people to register/interact with the site as the cost of cleaning up spam will be too high.
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
Yeah, but we value what blind people have to say. "Damn near the entire human race" can go fuck themselves.
If taking a couple seconds to answer a CAPTCHA is too much effort, I probably don't really care what you have to say in the comment section.
Or a couple of minutes considering most capchas are illegible.
I'm a good cook. I'm a fantastic eater. - Steven Brust
For every task that a computer is unable to handle, there exists a reasonably well-functioning human who cannot do it either.
Finally! A year of moderation! Ready for 2019?
It's quite likely that some forums may prefer only letting in people capable of understanding logic, and there aren't any laws against discriminating against those people.
Perhaps, but if you're trying to monetize the site you're running you'd be a fool to do something that prevents a good 80-90% of people from accessing it.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
I think you're missing the idea of what type of logic puzzles they mean. Simple things like image processing (someone in the comments below brought the example up of using company logos and you type the name, pizza toppings matched to the correct pizza) or natural language processing could be used to WRECK a bot. Imagine this, I pose the question as a human verification, "What color was George Washington's favorite white horse?" A human (with half a brain) easily sees how stupid simple it is to find the answer which is white, but a bot would have hell with that type of question because it involves language processing to determine the appropriate response. That is a pretty simplified example, but you can find these all over the place and they are fairly easy to create.
Some of these could be defeated easily with something like a call to Wolfram Alpha, but you could quite easily find and create things that are not going to be simple to automate the logic processing, but would be completely trivial for a human to process, even stupid ones. Language and image processing are RIDICULOUSLY difficult to automate efficiently which would defeat the purpose of the bots, while making things a lot easier on the people that do have to deal with this sort of thing. I personally hate the current version of CAPTCHAS (hell, I can't read some of the more difficult ones and I write some of the software that USES them), but I do recognize the need for them. No reason they can't be improved upon though.
Add some fields which start out as regular text fields but then hide them with Javascript. You can give them labels or default values like "Don't change this" in case someone doesn't have Javascript enabled. Give the real fields in your form random names. For the hidden fields, give them names like "subject" or "comments" or "url" (don't use common names for personal info like "email", "fname" etc that the browser might automatically fill out). When they submit the form, check for values in those hidden fields (either any value at all, or a value different than the default). If they are filled out, reject the form. Hiding the fields with Javascript will work for virtually everyone and it doesn't require real people to do anything extra. This will fail against bots that bother to actually render the page or bots that specifically target your site (which can be remedied if you randomize all field names and store the random names in the session to match them up when the form gets submitted), but those are far less common than bots that just get the HTML and parse it to look for form actions and field names.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Wolphram Alpha had no idea about the color of Washington's favorite white horse (it looked up the distance between some town named George, WA and White Horse,NJ), but if you put it into google, you discover that Washington had no white horses, the closest being a gray named Blueskin.
If I have been able to see further than others, it is because I bought a pair of binoculars.
I was about to tell you to take advantage of the audio alternative offered by many services, then I went and tried a reCAPTCHA audio test to make sure I knew what I was talking about.
I apologise for even considering telling you to use those.
If taking a couple seconds to answer a CAPTCHA is too much effort, I probably don't really care what you have to say in the comment section.
Or a couple of minutes considering most capchas are illegible.
This!
More and more, captchas take two or three attempts.
(Disclaimer: IMHO, I'm not senile, dyslexic, a horrible typist. blind. Your opinion may vary).
I suspect some sites are intentionally forcing a fail once or twice, at least occasionally, especially when you enter the word
in a timely interval. Bots probably give up after two failures, and they probably answer quickly.
So implementers make it more and more restrictive and throw in bogus failures.
Sig Battery depleted. Reverting to safe mode.
I've been developing websites over 10 years and have never needed a captcha system.
This is how I always go about it:
1) Include a form input element labelled as something common, like a telephone number but on a registration form that would never actually require a telephone number. Hide the parent div using CSS in an external CSS file. When the form is submit, check to see if the element is filled out. If it is, simply display a message that you think their registration may be automated and to try again. If it continues, please contact us by other means (phone, email, etc) and we will help them through it.
2) Time the registration from the time the page is loaded to the time it is submit, if its less than 10 seconds, do the same as above, simply display a message saying you think their registration is automated and to try again, etc.
When used in conjunction I feel I've cut out 99.9999% of spam or false registrations. The timing method has to be done server side and stored in a session, and is fairly involved so not easy to do properly if you are new to web development. There is also the issue of someone hitting the back button to try again after a failed submission (if you don't use client-side validation), and them submitting from a cached page, but can be worked around if you know what you are doing.
Obviously its not bullet proof, and if the CSS file doesn't load then someone would see the extra form element. But its a small price to pay for effective protection.
Anyone else have other methods they use?
If taking a couple seconds to answer a CAPTCHA is too much effort, I probably don't really care what you have to say in the comment section.
It's not longer just a couple of seconds when one has to hit the reload button a dozen or so times before they get a CAPTCHA that's remotely readable.
And half the sites bit-bucket at least some of the data you've entered just as further punishment. So you have to type that in again.
Show me the captcha before I enter any data please. That alone would confuse half the bots out there. (For a while).
Sig Battery depleted. Reverting to safe mode.
People seem to forget that the term "CAPTCHA" (Completely Automated Public Turing test to tell Computers and Humans Apart) applies to a much broader set of tests than just those obfuscated text-based things that most of us loathe. Banning CAPTCHAs is a silly notion that would adversely affect every site currently using them, as they become swarmed by spammers. Instead of banning them, they should be asking people to use sane, simple CAPTCHAs.
For instance, on a forum I run for a group in a game, I use a form of CAPTCHA that has people drag words into categories. As an example, if our group name was "Guild X of Y", I might make the categories "Words in our group's name" and "Words not in our group's name", then ask them to categorize the words "Guild", "Elephants", "X", "Tree", "Honor", "Plus", and "Ocean". I have about two dozen sets of categories and words configured, and so far it's had a 100% success rate at stopping spammers from registering. It's also made it easier for people to register, since the number of e-mails and other off-forum messages I've received complaining about the difficulty of the CAPTCHA has dropped to 0 while registrations have actually picked up.
Such a system would obviously not work for Google or someone that large, since a spammer would just train the bot to know all of the answers, but for smaller sites, there are plenty of solutions that work just fine, and I'm sure we can find more systems that are simple for a human but complicated for a computer. No need to make something that's so complicated for a human to solve.
Alternatively, go with xkcd's approach to solving the problem of spam.
You realize that many of the people complaining about captchas are blind, right?
Easily solved with an appropriate ALT tag, something like "A picture of a person holding a frankfurter in her right hand." In fact, can't all CAPTCHAS be fixed by simple use of the appropriate tag? "A picture of the characters E, Q, 3, 6, T and 9".
Minteye was very thoroughly broken.
http://translate.google.com/translate?sl=ru&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&eotf=1&u=http%3A%2F%2Fhabrahabr.ru%2Fpost%2F167359%2F&act=url
Essentially, the guy realized that jpeg pictures with distortions should have a completely different size than the undistorted picture. But all pictures delivered by minteye were of identical length. He figured they were padding the files with zeros, and he was right. By counting the number of zeros at the end of the file, the local maxima/minima was the correct file. He wrote a few lines of javascript, and it was broke.
John
Bad guys run some pretty high traffic sites that oddly enough, require captchas. Their client bots forward the real site captcha to the bad-guy site, which delivers it to a human who wants access to the bad-guy site and answers it - which answer is passed back to the bot and submitted to the legitimate site in real time. They also compromise legitimate captcha-secured sites for the same method. It's the Mechanical Turk method of defeating CAPTCHA. Machine learning of text recognition is not required.
Help stamp out iliturcy.
Whatever you use, you need to be able to generate an arbitrary amount of it without significant repetition, without structure that can be automated towards, and with a large "answer space" (number of possible answers) to make the percentage of 'lucky guess' answers extremely low. Oh, and it needs to be easy for humans but difficult for computers.
Generating distorted text is perfect - random characters, random distortions, nothing about the form of the puzzle that can be used as a shortcut to the answer, guessing strings at random is fruitless, and it hits computers right in the vision, where they (used to) suck and we're really good. Unfortunately that gap is narrowing, and humans on the lower end of visual acuity are getting locked out.
Generating an endless stream of simple trivia questions is going to require a significant bank of facts, then you're going to hit the problem that if the generation method is known it can be reversed and used against you (e.g. if the answer aways appears as a word in the question, just guess a randomly chosen word from the question and you get a trivially easy 10% or so success rate). Automating the question generation is almost as hard as automating the answers...