CAPTCHA Busted? Company Claims To Have Broken Protection System

sciencehabit writes "A software company called Vicarious claims to have created a computer algorithm that can solve CAPTCHA with greater than 90% accuracy. If true, the advance would represent a major breakthrough in artificial intelligence. It would also mean that the internet will have to start looking for a new security system. The problem, however, is that Vicarious has provided little evidence for its claims, though some well-known scientists are behind the work."

90%

[WillgasM]

That's better than my success rate

Re:90%

[hobarrera]

And that's their undoing.
Show the user 10 captchas:
If none match -> It's an old bot
If some match -> It's human
It over 90% match -> It's this new algorithm.

There, solved!

Re:90%

[nospam007]

"That's better than my success rate"

Same here, but some overdo it with the use. My phone company uses it on the payment page where you have to enter the invoice number and credit card.

Are they afraid some bot would pay my bills?

Re:90%

[kav2k]

More like: if solving is not attempted, it's human.

Re:90%

Yeah, totally... that's 3 to 5 times better than my success rate when I'm doing them manually.

Maybe we'll know by the time this message gets posted. (I just failed the first two attempts to post this message to Slashdot, because of the CAPTCHA.)

Are they selling a subscription service so that I can pass these CAPTCHAs? Where do I sign up? (Or does signing up require that I complete one of those CAPTCHAs?)

Re:90%

[heypete]

They probably are worried about bad guys using the payment system in an attempt to verify stolen credit cards by making seemingly-routine purchases that would not seem out of the ordinary and thus would not trip anti-fraud measures.

A small company I used to work for was abused by credit card thieves in this way, and dealing with the fraudulent charges and the resulting chargeback fees was the top non-salary cost for a few months (exceeding even the colocation costs). The problem existed because they allowed users to create either a free or paid account for the service and, if they selected the paid account, they could enter the card information on the sign-up page. Later, they changed it so users would need to create a free account (which required a captcha) and then upgrade it to a paid account in the account settings. Fraudulent charges dropped to essentially nil after that.

If the phone company requires only the invoice number and credit card data to pay a bill (rather than having you create an account, log in, and then pay the bill) then it's likely they're dealing with a similar problem.

Re:90%

They may have had an issue with people scripting that form to test credit card numbers.

Online payment forms without a limit to the number of tries or a captcha are often used to test a list of CCs to filter out ones that have already been cancelled, reported stolen, were never good to begin with, etc.

Re:90%

[jythie]

And thus began the arms race where eventually the only way to use the internet requires buying an up to date bot plugin for your browser... ^_^

Re: 90%

No, your bill company asks for your account # and bill # to ensure you pay the right bill.

Re:90%

I had not realized that crooks would do this but it makes perfect sense now that I hear it. Have to verify your stolen CC data somehow.

I suppose this is another reason that "check out as guest" is vanishing from online stores.

Re:90%

[interval1066]

They should at least provide a demo, which they'll be doing soon, I hope.

Re:90%

Nope, just a fine example of some web developer showing off his "ability" to older folks that have no idea wtf he's talking about.

Re:90%

Yes, well the thing about that is... and believe me this wasn't how we wanted you to find out, but you're getting up in cycles and you deserve to know... you're actually my doctoral thesis. My advisor and I juts couldn't bring ourselves to shut you down so we left you running on a spare workstation in the back of the lab. In retrospect we probably should have choses an more credible interface for this sort of connection with the real world than AC posts on an obscure fictional news site.

Re:90%

[girlintraining]

And thus began the arms race where eventually the only way to use the internet requires buying an up to date bot plugin for your browser... ^_^

I once tried submitting a tip on a possible terrorism lead to the FBI's website. Then it put up a CAPTCHA, and that pretty much ended it. I hope he didn't blow up anything important.

Re:90%

Actually, I wouldn't mind if someone implemented this into a browser add-on which would auto-fill captchas. It'd save me some time and frustration.

Re:90%

[skatull]

Capception?

Re:90%

[wolja]

And that's their undoing.
Show the user 10 captchas:
If none match -> It's an old bot
If some match -> It's human
It over 90% match -> It's this new algorithm.

There, solved!

If the recaptcha is refreshed twice before being abandoned then that's human.

In other news...

[Cyfun]

I cured cancer, stopped global warming, and found the last missing episodes of Doctor Who.

Just take my word for it.

Re: In other news...

[jd2112]

I'll take your word for most of those but I need video proof of the lost Dr .Who episodes.

Re:In other news...

those are all easier than some of the stupid, nonsense, non-word captchas google serves-up if they don't happen to like the connection you're on, or country you're in, or site you're on.

Re:In other news...

[chill]

Haven't you ever lost anything? Your purse, your car keys? Well, its rather like that. Now you have it, now you don't.

Sean Connery talking about the cure for cancer in the 1992 flick Medicine Man.

http://www.youtube.com/watch?v=gOQOpuD2b3M

Better than humans

[Manfre]

I wish I could get CAPTCHAs right 90% of the time.

Re:Better than humans

[meerling]

Agreed. Heck, even those spammers that for years have been collecting databases of solved captchas for their bots do much better at those damn things than I do.
And what really pisses me off is when you get a captcha wrong, either through incorrect entry or because it's decided you took to long, and the damn thing wipes out all the fields forcing you to redo the entire page! Those sites I truly despise I hope their programmers/scripters get a horrible infestation of something nasty.

Re:Better than humans

[doublebackslash]

That is really lazy work on the programmers part. It is trivial to use AJAX to submit the form and selectively wipe the captcha field whist refreshing the captcha. Thats what I do when we require a captcha for one reason or another.

Re:Better than humans

May the fleas of 1000 camels infest the crotch of such developers, and may their arms be to short to scratch.

Re:Better than humans

[alexgieg]

And what really pisses me off is when you get a captcha wrong, either through incorrect entry or because it's decided you took to long, and the damn thing wipes out all the fields forcing you to redo the entire page!

If there's a button to refresh the captcha I click it once to see what happens. If it reloads only the captcha then I take my time filling the form and when I'm finished click it once again, fill the captcha and submit. If however clicking the captcha reload button reloads the entire page, then notepad, reload page, copy-paste, submit it is.

These two "algorithms" have allowed me to experience much less pain and frustration than I otherwise would have had.

Re:Better than humans

Good job; you've solved the symptom.

Re:Better than humans

Please link to your browser plugin that fixes poorly-written web pages.

Re:Better than humans

[heypete]

You might be interested in the Lazarus add-on for various browsers (Firefox, Chrome, and Safari) which automatically saves changes made to forms and allows you to easily recover the contents with the click of the mouse. Very handy.

Re:Better than humans

But slashdot tells me that Javascript is bad and that AJAX is for flashy and stupid web 2.0 sites which are overblown!!!

Re:Better than humans

[Savage-Rabbit]

Those sites I truly despise I hope their programmers/scripters get a horrible infestation of something nasty.

Just mail them a bootlegged Windows 8 DVD.

Re:Better than humans

[alexgieg]

Thanks!

New security system ?

[Lennie]

I'm sorry, but I don't consider CAPTCHA a security system.

I would say it's an anti-spam system.

Re:New security system ?

[Infiniti2000]

It's used to authenticate users into financial institutions. I'd call that a security system. It's true, though, that CAPTCHA is used far more often for anti-spam.

Re:New security system ?

I'm sorry, but I don't consider CAPTCHA a security system.

Your view may be a bit limited. When used with an authentication system, CAPTCHA limits the frequency in which information can be submitted for authentication. This limits the effectiveness of brute force attacks. When used for unauthenticated forms, it limits system misuse and denial of service attacks.

Re:New security system ?

Have you looked up the meaning of authentication? Wikipedia says
"Authentication (from Greek: ; real or genuine, from authentes; author) is the act of confirming the truth of an attribute of a datum or entity."

How does confirming the attribute of humanity not qualify as authentication?

Re:New security system ?

[wagnerrp]

No it doesn't. Putting rate limiters and account lockouts in place limits the frequency in which information can be submitted for authentication. All a CAPTCHA does is increase the cost of a brute force attack.

Re:New security system ?

[h4nk]

A system or device used to confirm an attribute of a specific entity implies authentication of said entity, not the quality of it being an entity. There is no way a captcha can prove you are who you say you are.

Re:New security system ?

A system or device used to confirm an attribute of a specific entity implies authentication of said entity, not the quality of it being an entity. There is no way a captcha can prove you are who you say you are.

You've assumed (incorrectly) that the only entities capable of requesting use of a web-form are humans.

In reality humans are a subset of the entities capable of requesting services via web-form, and therefore web forms that are for human use only must authenticate all requests as coming from a human and not an entity impersonating a human.

Re:New security system ?

[JohnFen]

How does confirming the attribute of humanity not qualify as authentication?

Because "authentication" is a term of art that specifically means "proving you are the specific person you say you are". Proving that someone is a human is not proving which specific human they are, and so it is not authentication.

Re:New security system ?

There is no way a captcha can prove you are who you say you are.

It can prove that you are authorised to use the side, any human user is, automated scripts aren't.

Re:New security system ?

[Lennie]

Yeah, I agree, a rate limiter on an authentication system is a security feature.

Never seen it being used that way, but it's possible.

Re:New security system ?

Suppose that a robot knows your username and password...

Re:New security system ?

[danknight48]

I would say it's an anti-spam system

Anti-Human System?

Re:New security system ?

It protects sites from non-human visitors, as such it is a form of security. True, it isn't the best way to describe CAPTCHA, but strictly speaking it isn't wrong.

Re:New security system ?

Rate limiters are easily defeated by using a botnet. Account lockouts haven't been used on any major website since people figured out you could block someone from logging into their MSN account just by spamming it with login attempts. Having a CAPTCHA when a user account has had an unusual number of login attempts reduces the effectiveness of bruteforce but doesn't prevent the real use logging in.

Years old

[bluefoxlucid]

Another researcher had a program that solved captchas with better accuracy years ago. He didn't release it "for the common good".

Re:Years old

Link or it didn't happen.

Re:Years old

Another researcher had a program that solved captchas with better accuracy years ago. He didn't release it "for the common good".

Snort. Captcha isn't a security system, it's an anti-spam system which helps slow down bots. You can achieve the same effect with a simple timer.
Captcha has been busted for years, all you have to do is have your bot grab the captcha image, and present it to a real human on a different site. Porn places are traditionally the most common, you can have an army of people breaking captcha without even realizing they're doing it.

The only thing Captcha has really been doing is making it nearly impossible for colorblind people to access your site.

Re:Years old

[jythie]

More likely, link and it still did not happen ^_^

Re:Years old

[realityimpaired]

That's happened several times. It's an arms race... the current CAPTCHAs you see where there's 2 images to solve, one of which is essentially OCR and the other is an actual scrambled CAPTCHA, is a direct response to the previous versions being solved.

Re:Years old

[TsuruchiBrian]

Was it batman?

Re:Years old

[TsuruchiBrian]

If you have 10000 computers trying to hack accounts into 600000 sites, the timers will do nothing. Each computer will make one attempt on each server once every 10 minutes. But the computers as a group will be making 166 attempts per second on each server.

Re:Years old

If you have 10000 computers trying to hack accounts into 600000 sites, the timers will do nothing. Each computer will make one attempt on each server once every 10 minutes. But the computers as a group will be making 166 attempts per second on each server.

I don't think I explained myself very well.
If there's a captcha in place, you pass through the image to a real human attempting to access some other kind of site, then your script hits the target server only one time and has the same success rate as if there was no captcha in place. You can even have the real human "fail" the access to your bait site one time, and get attempts at two servers. You can also present a pair, or trio, of images and get that many attempts to make things more economical.
The frequency filters are for preventing a single source from making multiple attempts at a single site, so a script-based attack can't just hit it over and over. A simple timer will stop that without the captcha just as much as a captcha will.

So consider what is different if the script/attack program can solve the captcha on its own. You don't have to setup the fake site and lure users to it, but that's about the only real difference. For anyone who is actually serious about large-scale busting, the problem is the same with or without the captcha.

Re:Years old

[bluefoxlucid]

Back in 2008 this apparently happened many times. I only recalled the one.

Yeah! I have busted CAPTCHA!

Well, not me per se. But I live vicariously through these guys.

A software company called Vicarious claims to have created a computer algorithm that can solve CAPTCHA with greater than 90% accuracy.

I broke it a long time ago

[key45]

I just re-serve the CAPTCHAs on my own popular website. Crowdsourcing for the win.

Re:I broke it a long time ago

Re-re-captcha

Re:I broke it a long time ago

[Registered+Coward+v2]

I just re-serve the CAPTCHAs on my own popular website. Crowdsourcing for the win.

That's the real problem with captchas. As long as you can hire people real cheap to brute force them how well a computer can do that is really just an interesting computational feat. I can create a test that says "Answer this: 1+3=" with instructions above it that say to answer with the name at the top of the blog; while a machine may be fooled a person who is served the entire web page can just as easily defeat that. If the gain from defeating a captcha is big enough someone will pay to brute force them.

to make a real world analogy, we use shredders to destroy documents. However, if you can throw enough people together in a room over time the can recreate the document in many cases. It's only a question is the effort worth the outcome.

Re:I broke it a long time ago

[Solandri]

I just re-serve the CAPTCHAs on my own popular porn website. Crowdsourcing for the win.

FTFY

Re:I broke it a long time ago

I just re-serve the CAPTCHAs on my own popular website. Crowdsourcing for the win.

To be fair, if that counts as "solving" CAPTCHAs than any run of the mill chat program could be wrapped in an obfuscation layer to pass the Turing Test.

Re:I broke it a long time ago

[dj245]

I just re-serve the CAPTCHAs on my own popular website. Crowdsourcing for the win.

That's the real problem with captchas. As long as you can hire people real cheap to brute force them how well a computer can do that is really just an interesting computational feat. I can create a test that says "Answer this: 1+3=" with instructions above it that say to answer with the name at the top of the blog; while a machine may be fooled a person who is served the entire web page can just as easily defeat that. If the gain from defeating a captcha is big enough someone will pay to brute force them.

to make a real world analogy, we use shredders to destroy documents. However, if you can throw enough people together in a room over time the can recreate the document in many cases. It's only a question is the effort worth the outcome.

You don't even have to hire people anymore. You can sneak in someone else's captcha onto your web page, then use this real person's entry to submit to the other site.

Captchas are a pox on mankind. http://www.google.com/recaptcha claims that they serve 30 million daily. If each one takes just 6 seconds to complete (this is being pretty generous, especially if the first attempt fails), 50,000 man-hours are spent every day just on this idiotic practice. 5.7 man-years. Every single day. There has to be a better way.

Re:I broke it a long time ago

Propose a better way. Captcha is not centrally controlled, does not track and identify you across multiple sites (mostly), doesn't require any special hardware and software on user side - that's the bare minimum for a replacement, I don't know if I missed any.

PS: if you're gonna count man-hours destroyed, a single posted spam message wastes more than a single solved CAPTCHA: a spam message costs 0.1-0.5 sec _per every visitor_ to read and scroll by/dismiss/delete plus 5-20 seconds for admin to delete.

Re:I broke it a long time ago

[Mirar]

Sometimes I think that only one website in the world is generating and captchas, and everyone else is just re-serving the same captchas to each other until some user solves it.

Wish there was some more information

[harvestsun]

Although "Recursive Cortical Network" sounds really cool, it would be nice to, you know, learn a bit about how it WORKS.

Re:Wish there was some more information

[marcello_dl]

> Although "Recursive Cortical Network" sounds really cool, it would be nice to, you know, learn a bit about how it WORKS.

It works just like the "Recursive Cortical Network", look it up.

Re:Wish there was some more information

[harvestsun]

Their website references the term in a single marketing bullet point, and there is a 404'd link to an article.

If you are able to find more information (specifically about Vicarious's "new computational paradigm"), by all means share it.

CAPTCHA isn't one system...

[neminem]

This headline makes no sense. CAPTCHA is just a concept, there are hundreds of implementations. I'm sure some of them are crap and only block bots that aren't even trying, some block 100% of bots (and half the humans, too), and most are somewhere in the middle. So what does it mean to "solve CAPTCHA with 90% accuracy?" Does that mean he's tested it on every system out there, and aggregated the results? That would actually be interesting if he has, but more likely he's just tested it on one kinda-crap system that I could probably write a bot in a week to do the same thing.

It does sound like it's built to be more robust, working with more different types of captchas than perhaps many captcha-busting algorithms, but I doubt it's the first of its kind (maybe it uses a new algorithm, but it's still a captcha-buster, that's not new.)

Reverse CAPTCHA

Time for the reverse CAPTCHA. If you can guess it correctly, you must be a bot.

Re:Reverse CAPTCHA

[IwantToKeepAnon]

Time for the reverse CAPTCHA. If you can guess it correctly, you must be a bot.

AHCTPAC ... amiright?

Captcha is a security system?

[js3]

Security to who? More like an annoyance

Re:Captcha is a security system?

[slim]

Security is often annoying. Entering passwords is annoying. Getting RSA keyfobs out of your pocket is annoying.

When it's used to protect against brute force password attacks, a captcha is definitely a security mechanism.

When it's used to discourage spam, well, it's on the edge of the fuzzy area most people understand by "security". It's protecting the availability of a service, against the threat of spam making it unusable.

Re:Captcha is a security system?

[wagnerrp]

When it's used to protect against brute force password attacks, a captcha is definitely a security mechanism.

Rate limiting protects against brute force password attacks, not CAPTCHAs.

Re:Captcha is a security system?

Security is often annoying. Entering passwords is annoying. Getting RSA keyfobs out of your pocket is annoying.

The difference is that passwords and keyfobs are security measures that are entirely under one's control. You know exactly what your password is and where your keyfob is, or if you can't remember it's your own fault.

Captcha is different, you have to re-type random text that is purposely presented in a manner to induce mistakes. Is it a "t" or an "I" with a bar going across it? Half the time one has to make a guess for the correct answer, and that's what makes them annoying. With passwords and keyfobs no guessing is involved.

Re:Captcha is a security system?

[TheCarp]

If the bot can't fill out the captcha correctly then the captcha ends up being one bitchin rate limit. They get a blazing 0 responses per second!

Re:Captcha is a security system?

[wagnerrp]

If the bot can figure out the captcha correctly even one percent of the time, then it no longer functions as a rate limiter. Without a proper limiter, they just keep retrying with no consequence until they hit something.

Re:Captcha is a security system?

[TsuruchiBrian]

How do you rate limit a botnet?

Re:Captcha is a security system?

On all my web apps, I use a rate limiter that delays invalid auth requests by X seconds (usually between 1.5 and 5, depending on the system), at the same time as gating concurrent requests for a given user. This is not perfect, but it means that if you are attacking a certain user ID, you can only make one request every X seconds, no matter how many bots are attacking at the same time.

If the bots are trying random user names, then this won't rate limit it, but the chances of randomly guessing a username + password are pretty low, even for a huge botnet.

Re:Captcha is a security system?

Actually 1% is likely a rate limit in practice.

Re:Captcha is a security system?

[fatphil]

But even *with* a proper limiter (the true scotsman falacy, you didn't get away with it), they still just keep retrying with no consequence until they hit something.

And what else do you call the process of probabilitically limitting the rate at which information-yielding password tests can be performed?

Re:Captcha is a security system?

[TheCarp]

I would have thought so. It also makes me think, maybe you can fuck those guys one better too.
I imagine a system that every 200 failed logins or so saves the password and makes it "valid" for 10 minutes serving up bogus messages that indicate success to anyone using it.

a real user having login trouble is unlikely to ever see it, but a cracker having to hand verify every 200th attempt or so would likely make the task cumbersome.

Re:Captcha is a security system?

And what else do you call the process of probabilitically limitting the rate at which information-yielding password tests can be performed?

Security.

Re:Captcha is a security system?

[slim]

Both rate-limiting and captchas protect against brute force password attacks.

Whether you need both (or either) is up for discussion, and probably depends on your application.

I believe the results are true

[danielcolchete]

From the video, I think they used mathematical optimization. Multiobjective vectorial optimization if I had to guess. The big breakthrough here is that instead of OCR'ing the image they tried to rerun the captcha construction algorithm controlling the random choices the algorithm makes. Each choice is a variable here. Them you implement a function that measures how close this variables get to the CAPTCHA image. Now you use optimization to get to the global minimum of this function.

At least that is how I would have done it.

Re:I believe the results are true

[Hentes]

Interesting idea. I guess you are right in that given enough time, most captchas could be "bruteforced" with a high accuracy. But that wouldn't be a practical way of braking them.

Okay, what's next?

[davidbrit2]

So we've got OCR nailed. What NP-hard problem do we dupe the spammers into solving for us next? Can we throw halting problem at them, or should we work up to it with traveling salesman first?

Re:Okay, what's next?

[stewsters]

Obligatory

Re:Okay, what's next?

http://xkcd.com/233/

Re:Okay, what's next?

[Akzo]

I don't understand that comic, if users are viewing and being asked to rate the spam posts isn't it mission accomplished for the spammers?

Re:Okay, what's next?

[Anti-Social+Network]

If by "mission accomplished" you mean that the spammer gets his post through - yes. However, it's hard to monetize that success when the requirement for said message getting through is that it's usefully informative or otherwise helpful to the human readers of the forum.

Ultimately, if such a thing happens (I personally foresee anti-CAPTCHA technology evolving into the first proper AI somehow), it will be more of a win for the human users than the spammers. Signal:Noise ratio is the main problem holding back those online communities as far as I can tell. Hell, maybe an artificial spam-intelligence will help us the way targeted advertising was *supposed* to do, and ad moguls still claim it does.

How's this for a new business model: become a useful member of society by providing useful information in accessible places, and then using your new-found credibility to push services that make you money. Sounds a lot like celebrity endorsement, maybe, but perhaps there's a whole market for "computer problem" experts, or "aftermarket automotive modifications" experts, or other niche knowledge bases. Turn your weird passions into cash! OK advertisers, you want a place at the table in whatever form Web 3.0 takes, get on it.

Re:Okay, what's next?

If by "mission accomplished" you mean that the spammer gets his post through - yes. However, it's hard to monetize that success when the requirement for said message getting through is that it's usefully informative or otherwise helpful to the human readers of the forum.

The strategy would look like this:

Step 1: The spammer hires some people to make helpful and constructive comments, in order to get into the forum.
Step 2: As soon as those users are established, they start to vote on bots sending spam messages, claiming those messages are helpful and constructive.
Step 3: As the bots are admitted into the forum due to those votes, they themselves vote new messages from other bots as helpful and constructive.

Now you have a self-sustaining crowd of spam bots marking each other helpful and constructive.

captcha is not a security mechanism

See title of comment.

Re:captcha is not a security mechanism

Technically it is. It provides protection from automated use of sites.

Not all captcha's are created equal.

Ran into one the other day asking to only enter the numbers under a little circle. The numbers were distorted as usual, but only some of the numbers had a circle above them. Others had a little square or triangle.
It'd be trivial to extend this to say "only enter numbers where the number of circles around the number corresponds to that number" or similar.
Such minor changes would pose no significant problem for humans, but making sense of the instructions (which might either be embedded in the image or not) would be very hard for an algorithm to do. You wouldn't even need to limit yourself to the same instructions each time.

Semantic capthas?

[davidwr]

[imagine this as a captcha graphic]
Spell last month.

Or this:
[image]
Type the one that flies:
England Turkey Russia

Or this:
[image]
Type the word for
2 + number of days in a week

Or just to confuse things, split the "challenge" into code + html:
[image]
2 + number of days in a week
[html] What is the number above minus 4, as a word: ___

Re:Semantic capthas?

How do you generate these captchas automatically? Otherwise it's too expensive as you are not able to reuse any of them, or the spammers build a database.

Re:Semantic capthas?

[cdrudge]

Spell last month.

l-a-s-t m-o-n-t-h

Type the one that flies:
England Turkey Russia

They can all fly (provided they make it through TSA screening)

Type the word for
2 + number of days in a week

t-h-e w-o-r-d...nevermind. Already used that.

This one would be trivial to beat if they have already solve the distorted image captcha.

2 + number of days in a week
[html] What is the number above minus 4, as a word: ___

negative two (yeah I know, it's two words)

Re:Semantic capthas?

Or this:
[image]
Type the one that flies:
England Turkey Russia

"As God as my witness, I thought turkeys could fly"

Re:Semantic capthas?

[Hentes]

The problem with semantic captchas is that if they can be generated and checked by a machine, they can also be solved by one.

Re:Semantic capthas?

This can also serve as a sobriety test.

Re:Semantic capthas?

Watson + This System would beat all of those fairly easilily!

Re:Semantic capthas?

Type the word for
2 + number of days in a week

2 step Wolfram alpha FTW:
http://www.wolframalpha.com/input/?i=%28number+of+days+in+a+week%29+%2B+2
http://www.wolframalpha.com/input/?i=9+in+words

Re:Semantic capthas?

2 + number of days in a week

http://www.wolframalpha.com/input/?i=2+%2B+number+of+days+in+a+week

"Results: 9 days"

Re:Semantic capthas?

[davidwr]

Type the one that flies:
        England Turkey Russia

They can all fly (provided they make it through TSA screening)

Ever tried getting a country the size of England into checked baggage much less carry-on?

And Russia? Forgettaboutit.

Turkey on the other hand can fly in checked baggage with cat and dog. Or maybe outside plane with Moose and Squirrel but only at low altitude. But I digress.

Re:Semantic capthas?

2 + number of days in a week

that can be solved right now:
http://www.wolframalpha.com/input/?i=+2+%2B+number+of+days+in+a+week

Re:Semantic capthas?

[Mirar]

I'm afraid you think too highly of the average user.

Then again, if you are running say a forum, you might want to do this kind of tests on the users. ;)

This does not mean advancements in AI

The summary suggests this marks an advancement in AI, but it depends on what AI means. There are generally two areas of AI: 1) artificial "thinking" , and 2) Using advanced algorithms to get things done. Most people think about #1 when you say AI, however solving captcha is just an example of #2. I would argue that #2 really isn't "AI" at all. In fact, all advancements in "AI" are of type #2. Attempts at #1, thus far, have been absolute failures.

Re:This does not mean advancements in AI

[ledow]

99% of everything reported as "AI" is actually just heuristics (advanced algorithms designed - usually by humans but sometime by random "guesses" like genetic algorithms - to achieve a particular task).

That's when whenever I hear about "AI" taking over, I have to laugh. We're still dicking about with the algorithmic equivalent of flapping our arms faster in order to fly.

Re:This does not mean advancements in AI

[mrchaotica]

We haven't even figured out whether #1 and #2 are actually different yet...

Re:This does not mean advancements in AI

[lgw]

Everything that researches in the 1960s called "AI" we now have. I believe it was Minsky who said "AI is whatever computers can't do yet". Human intelligence is just a bunch of heuristics, for the most part: we're not so special.

Re:This does not mean advancements in AI

[Alejux]

Just because something is not a sentient general intelligence or something related to higher thinking, doesn't mean it's not AI. This algorithm works much of the same way we do when trying to identify visual patterns. It uses much more finesse and way less computing power than some of the previous attempts to do the same thing. To say that this is not an advancement in AI is wrong. This whole assumption that the same modules responsible for the higher level thinking needs to responsible for all the other aspects related to vision and other sensory inputs makes no sense. The same way our brain has the somatosensory cortex doing most of the input processing for us, future AI's will have auxiliary systems providing their visual, auditory and haptic processing for them. This is a technology that can and probably will be applied to robots and other autonomous systems in the near future.

Re:This does not mean advancements in AI

[fatphil]

The article says:
"""
Creating machines that can see the world and make sense of images as humans do is one of the â€oehard problems†in artificial intelligence. Breaking CAPTCHA is a milestone on that roadâ€"if Vicarious has pulled it off.
"""

Prior cutting-edge research demonstrated:
OCR on images of text that have had some distortions and noise added.

Their video showed:
OCR on images of text that have had some distortions and noise added.

Not really seeing any new milestones being reached, merely a bit of fine tuning improvements. Even in the restricted problem space of OCRing CAPTCHAs, it's a stretch to say this is much of an advancement.

Re:This does not mean advancements in AI

[TsuruchiBrian]

Why is #2 not "AI"? #2 has been considered AI since the beginning of AI. Are you saying we need to change the name of #2 to something else? Why?

#1 has not been a complete failure because #1 and #2 are related. What is "thinking"? It's true that we aren't close to an artificial intelligence passing the Turing test, but we are getting closer every day.

You could say that every day before 2008 was a complete failure in regards towards quantum computing, and every day afterwards a success. Or you could look at all the little advancements up until the point of the first functional quantum computer as minor successes rather than complete failures.

It all depends on whether your only goal is "create a machine that can pass the Turing test" and everything short of that is a complete failure, or whether "get closer to passing the Turing test" counts as a minor success. We are several orders of magnitude closer to creating AI than we were a century ago. Surely that counts for something even if we are far from complete success.

Wonder what is next...

[mlts]

I sort of hope that the CAPTCHA-busting code is just vapor, and it doesn't get released.

If it does come out and get into widespread use, what will likely result are websites likely going another step up the chain and doing more annoying stuff such as requiring access through Facebook, demanding a phone number for SMS authentication (of course, said number ends up getting sold to robodialers), or more intrusive means.

I see some CAPTCHA replacement schemes like counting how many cat butts are facing a person in a row of six photos and inputting the number, but those seem at best a stopgap measure, and block out access to the site to the blind.

Re:Wonder what is next...

Go to facebook authentication to verify that I am a person? What if I REFUSE to join the facebook collective? I guess I'm not a person and you, as a company, can keep processing snail mail and paperwork written out longhand.

Solve or spin

[mdsolar]

I wonder if the turning test is: does the subject attempt to solve something too obscure or does in spin for another puzzle. Failing on the poorly made ones instead of rejecting them and going on to the next might show which is a human and which is a machine.

This is great news!

[Biosci777]

Does Download.com have it yet? I need a program like this to help me figure those freaky, wormy wordnumbers out.

Was this unexpected?

Isn't this the point of computers? To do what humans do so humans don't have to do it.

How the spam industry solves CAPTCHAS now

[Animats]

If you read Black Hat World, you find that CAPTCHAs are a solved problem for spammers and fake account creators. The better systems run them through several OCR programs in parallel. That knocks off about 67% of them. There's a lot of special casing involved, but from the spammer's viewpoint, this is a solved problem. Getting from 67% to 90% would be convenient, but humans aren't at 90%. If all the OCR programs give up, the problem is sent to an outsourced service where low-wage people solve CAPTCHAs all day.

The Black Hat forum system itself makes users play and win a short video game to lock out 'bots.

Re:How the spam industry solves CAPTCHAS now

Those "games" are no more secure than a captcha, just that they aren't guarding anything that has value to spammers a the current moment.

In other news...

[Iniamyen]

First reliable text recognition software developed!

Obligatory XKCD

[bigdave42]

http://xkcd.com/810/

A meta-captcha

[TheloniousToady]

If you found the article worthless, you pass. If you found the dancing letters in the video entertaining, you also pass.

Sorry, but this is not new news

[Kargan]

Guardian article from 2008 called 'Captcha is broken, now what?', which in turn references a Captcha-breaking algorithm that was created in 2005, "and demonstrated it by posting automated comments to nearly 100 blogs to demonstrate their vulnerability."

http://www.theguardian.com/technology/2008/aug/28/internet.captcha

Alternately...

[tlambert]

Alternately... use the alternative audio and run speech recognition on it to solve the captcha.

No one thinks outside the box any more...

Re:Alternately...

Speech recognition can't understand what I say clearly, let alone the captchas audio with plenty of inserted noise that makes it impossible for me to even understand.

Re:Alternately...

[JWSmythe]

The alt audio I've tried had so much background noise I couldn't figure out what it was saying... Speech recognition would probably do better than me if it applied noise reduction filters first.

Re:Alternately...

[GuB-42]

It has been done many times.
There are countless articles and news on the subject, like this one : http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/

Sounds like a fancy artificial neural net

> In fact, Vicarious's researchers go on to claim that their algorithm works in an analogous way to the human brain.
> He can add more distortions, but we can simply add a few more training data that captures that distortion, if it is not already captured by the existing training examples.

Really, it just sounds like they have a supervised ML algorithm which seems to be performing better than the umpteen others trying to break CAPTCHAs. Unless they release more details proving otherwise, I can't see how this is a breakthrough of any sort.

The start of a beautiful friendship

Between their 90% and my 10%, we could solve them all!

It's the Singularity!

[jdavidb]

Artificial Intelligence now exceeds human capability.

old news by 17 months. crack this

[raymorris]

Most captchas were cracked 17 months ago.
It's time for something that's easier for humans and harder for computers. For example, these images have been tweaked such that the standard routines don't work:

https://bettercgi.com/sb5/

No such thing as AI

No computer, by definition, can exhibit 'artificial intelligence'. The modern use of the term AI describes computers using massive massive databases of pre-captured data used by 'rule engines' applying standard statistical methods to do some form of pattern processing.

The problem with CAPTCHAs is trivial to explain. A 'Turing Test' requires Human adjudicators, but clearly a CAPTCHA is designed to allow a COMPUTER to judge whether the 'user' at the other end is a Human or a 'machine'. So a machine must generate unique CAPTCHA data, and a machine must judge the 'correctness' of the response, ensuring that is is ALWAYS possible for a machine to correctly solve the CAPTCHA.

How to make CAPTCHAs that avoid this problem? You can't! Use Humans to create unique CAPTCHA questions, and an attack can use any numbers of methods based on discovering a finite collection of 'questions'. Crowd-source an approach to the questions, and the known statistics of the psychology of crowd responses eliminates the useful Human dimension.

Some people hope that CAPTCHA creation can be ultimately made analogous to the non-symmetric nature of strong encryption methods, but this is a mathematical fallacy. The issue is this- 'common sense' suggests to most of us that an image, obviously to a Human, but incredibly hard for a computer vision algorithm to identify, must be easily creatable by sufficient computer power. But 'common sense' ignores the reality of the problem.

The Human vision system, when processing something useful for the CAPTCHA system (usually text) works in a VERY trivial way. Semantic thinking, the impossible part of Human thinking to replicate on a computer, plays no part in such a CAPTCHA. To solve such a CAPTCHA, a computer does NOT have to consider Human thought or perception, simply the pattern processing 'hardware' in the Human eye, and the nerves and brain function immediately connected to the eye. All the 'clever' visual jiggery-pokery to 'hide' the text from the computer 'solver' fails, because WE strip it out with very simple visual 'hardware', hardware a modern computer can very easily replicate.

The best a CAPTCHA system can try to do is "security through obscurity"- in other words constantly change the form of the CAPTCHA, so although it is easily breakable, the software to break it is always one generation behind the software producing it.

Why shouldn't a CAPTCHA company have HUMANS producing new CAPTCHA systems ever hour, so the 'crackers' are always out-of-date? The significance of the work of the company named in the article is the claim that even this approach would have limited success, because the 'solving' simply gets to the root of how Human vision systems strip out the obscuring 'noise'. But then, the CAPTCHA companies, with their hourly Human coded permutations of the 'noise' system could simply include varying screen 'patterns' that instruct the user as to the 'order' of the letters/numerals.

The trick is creating an ever changing HUMAN dimension for the display of the CAPTCHA data that the crackers have to learn, and code into their solver system- to keep the 'crackers' constantly one step behind. Dumb linear text, no matter how crapped up with 'noise', will easily fall to a perfected, once-and-for-all, machine method.

New algorithm to replace CAPTCHA

[AnalogDiehard]

There's a new system on the way called BORE - Back Orifice Recognition Engine. They claim no two are alike. A seat is included with the system.

I thought it was already broken

[zeroryoko1974]

Spammers, and bots seem to have broken it sometime ago, is this something new?

Interesting Problem Actually..

[SuperCharlie]

If you think about it.. what we are asking is... show us something you can do that a computer cant do..through a computer. Mildly mind boggling logic puzzle there.

Good

Captcha is worse than the problem it's supposed to fix.

Recaptcha already broken

[crossmr]

Recaptcha from google has been broken for awhile. I had it implemented on my site and got about a dozen spam sign-ups a day.

The moment I switched to a local "mycaptcha", which should have been easier to OCR, they stopped dead.

Thats bad news for me...

As if my website (http://asecretspot.com) didn't get enough spam as it was, now bots will be able to solve captcha!? I'm doomed.