Slashdot Log In x
Building a Better CAPTCHA
Posted by
Soulskill
on Friday January 23, @07:04PM
from the we-have-the-technology dept.
from the we-have-the-technology dept.
jcatcw writes "Steven
J. Vaughan-Nichols reports that CAPTCHA cracking isn't that difficult
these days. It has even become a business. For example, DeCaptcher.com
will solve CAPTCHAs for your spamming needs at a rate of $2 per 1,000
successfully cracked CAPTCHAs. In response, newer systems are in development.
Both Carnegie Mellon and Penn State (is there something about the water
in PA?) are working on image-based systems. ESP-PIX and SQ-PIX both
require the viewer to interpret pictures. Imagination CAPTCHA from Penn
has the user find the center of an image. The idea is that humans are
better at image recognition that computers, but humans can legitimately
disagree on their interpretations and some humans are color blind.
Problems remain. For now, sites would be well advised to look at
reCAPTCHA — the system that works with Google Books and the Internet
Archive to digitize printed texts — which comes with a wide variety of
application and programming plug-ins and an open API."
Related Stories
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
17 Full
33 Abbreviated
0 Hidden
Loading... please wait.
Indecipherable (Score:5, Insightful)
Reply to This
Re:Indecipherable (Score:4, Funny)
Me too. Wanna go halfers on 1000 CAPTCHAs?
Reply to This
Parent
Re:Indecipherable (Score:4, Insightful)
pretty much. It's outsourcing your captcha solving to impoverished third-world solvers. So really, there's nothing they can do to make Capchas better - humans ARE solving them, it's just an economic imbalance being exploited.
I use it because I'm sick of capchas everywhere and it's dirt cheap. I figure if we break them bad enough people will stop trying dumb technical solutions to social problems. (spam)
Reply to This
Parent
Re: (Score:2)
Some people believe they would be rather easy to decipher [ckers.org].
Youtube captchas are terrible. (Score:2, Insightful)
I speak for everyone. Captchas SUCK.
Get rid of them.
Re: (Score:2)
Well, you go get rid of the spammers, and we will.
Build a system that's not spammable. (Score:3, Interesting)
I'm not sure how, yet, but I want people to start thinking about it this way.
Just like DRM.
See, with DRM, start with the assumption that all DRM can and will be cracked, and that all software and media can and will be pirated. Your challenge, then, is to make the legitimate product provide at least the quality and value of the pirated copy (something most DRM'd solutions fail miserably at), and ideally make it desirable enough that your price starts to seem reasonable, even when the alternative is "free".
So
Re: (Score:3, Interesting)
Please, don't suggest something stupid AND already obsolete, we might get saddled with it.
Fortunately, it has two advantages:
First, for those who aren't using botnets, or sufficiently large botnets, it's a significant impediment.
Second, more cycles increases the chance that people will notice their computers slowing down and figure out its a botnet.
Finally, it really doesn't matter whether we get saddled with it or not -- since it's just using Javascript, it's no more cumbersome than Slashdot's current comment system. And if it's completely ineffective, it could be turned off with no ill effects
Re: (Score:3, Insightful)
Yes, they are. They are not stopping all spammers, but that is very different from not stopping them at all.
Re: (Score:2)
Seems like a stop-gap maneuver to buy some time against the crap flood.
A few days ago I had to get a hold of someone through a popular social network that I don't normally use. I asked another person to come look at the captchas the site was giving me before allowing me to send each message. The captchas were not just hard to read... the first letter was completely unintelligible to the point that I wasn't even sure there was a letter present beneath the obsfucating distortions.
At first I thought that som
Dying Technology (Score:5, Insightful)
C.A.P.T.C.H.A - Completely Automated Public Turing test to tell Computers and Humans Apart.
This is a dying technology.
1) Computers and synthetic systems in general are ONLY going to get better at doing anything a human can do. I mean anything.
2) Humans are a substitute for our lack of a synthetic system to solve a CAPTCHA.
A CAPTCHA has two answers to it's owner. This is a Human and this is a Computer. Humans can be hired to solve CAPTCHA at economically viable rates to meet the demand with a supply. Computers are catching up at being able to solve various CAPTCHAs creating an "arms race" between developers and those that need to crack CAPTCHA automatically with high throughput.
The window for this technology to be effective in its use is shrinking rapidly and it will only be a matter of time before it is nearly impossible to tell without phsyical inspection what is a synthetic human reponse and an actual one.
Reply to This
Re:Dying Technology (Score:5, Informative)
Humans can be hired to solve CAPTCHA at economically viable rates to meet the demand with a supply.
Not in general. For high-value targets, yes. For spamming blog comments, no.
Reply to This
Parent
Re: (Score:2)
Humans can be hired to solve CAPTCHA at economically viable rates to meet the demand with a supply.
Not in general. For high-value targets, yes. For spamming blog comments, no.
Except that cracking one blog system CAPTCHA cracks all blogs with that system's CAPTCHA. Which makes anything but custom software (that Joe Sixpack wouldn't know the first thing about building) a high-value target.
Re:Dying Technology (Score:4, Insightful)
Using a human being to solve a CAPTCHA is not "cracking" the CAPTCHA, nor does it make the next blog or even the next CAPTCHA any less secure. If the CAPTCHAs are actually successful enough that the only solution is to hire third-worlders to do them for you, a large part of the battle is already won.
Will it stop all spam? No. Will all spam ever be stopped? Nope, so let's take what we can get while we can get it.
Reply to This
Parent
Re: (Score:2)
Well, computers are still pretty crappy at herustics, whereas the human brain is much better. Non-computable problems cannot be solved by a computer at all.
Let us take a theoretical CAPTCHA. This CAPTCHA uses optical illusions to create images in the brain that do not appear on the screen. These illusions are not, however, contained within a single image but an animation that is rapidly flipped through, exploiting persistence of vision to include the elements of the images you actually want and to exclude e
Re: (Score:2)
Your description is vague (perhaps intentionally so), but I'm skeptical nonetheless.
The persistence-of-vision hurdle is easily jumped, by tuning a decay function to interpolate across the animated gif so that it looks like the appropriate single frame. Note, this only has to be done once.
This leaves the optical illusions. Again, there are really only so many of these, and they can be pattern-recognized and classified as whatever they represent. You can stick them together in any combination but this just ad
Re: (Score:3, Insightful)
And:
3) As you make it harder to solve for computers, you also make it harder to solve for humans.
Since current CAPTCHAs are getting quite difficult for humans to solve, the process has already reached it's limit. Facebooks captchas are difficult enough for me that I have to ask for a new one 5-10 times to get one I'm fairly sure of.
This one involving optical illusions is absurd, there will be large numbers of people who can never get it right.
Re: (Score:3, Informative)
Well actually, systems like the one on facebook do have a kind of "I don't know" which is the "give me another". At least it makes it possible to solve, if extremely annoying ...
Re: (Score:3, Insightful)
That's not what I meant. A Turing test is designed to test subjects and from their answers determine if it is a human or a computer. You are talking about the answer that a subject may give to the test itself. I was talking about the result that the Turing test may give to the researchers or the system. They are two different th
Re: (Score:3, Funny)
obligatory xkcd solution to captchas
http://xkcd.com/233/ [xkcd.com]
Re: (Score:3, Funny)
Computers and synthetic systems in general are ONLY going to get better at doing anything a human can do. I mean anything.
Robot sex slaves, here we come!!!
How to get around CAPTCHA for Porn? (Score:5, Insightful)
Even if they had a perfect system that could tell a person from a computer, how can they prevent a CAPTCHA for porn system?
(You make a website offering porn for entering the solution to a CAPTCHA from a 2nd site, and then use that solution on that 2nd site)
Reply to This
Re:How to get around CAPTCHA for Porn? (Score:4, Insightful)
Captchas have right or wrong answers, which can be immediately verified.
Spam or not spam can not. Some imbeciles can just make random selections without caring. Even if you give posts to multiple people to see if they agree, you can get enough imbeciles to ruin the system.
Reply to This
Parent
Re: (Score:2, Funny)
But you have to add captchas to your 3rd site to make sure a 4th site isn't spamming your (3rd) site with fake spam/legit answers in an effort to steal your porn (to make their own porn-fueled, captcha-solving farm).
Re:How to get around CAPTCHA for Porn? (Score:4, Funny)
Reply to This
Parent
Logical next step (Score:3, Funny)
Instead of one little captcha at the end of a web form, the whole site will be a captcha.
All the form labels will be jumbled images, and there will be 9 form submit buttons, 8 with dogs and 1 with a cat.
All textual content can be a mangled image to stop scrapers as a bonus.
Oh and please don't actually build this.
Reply to This
Re: (Score:2, Informative)
Image capture program will just capture multiple frames and combine them, just like your eye (basically, effectively does).
Also, PAL is 50 fields per second, 25 frames per second. Not 25 fields and 12.5 frames.
Nope, that won't work either. (Score:4, Insightful)
Give me the frames of such an animation and I can trivially write a program that simulates persistence of vision by smearing the pixels over time, thus making it solvable by a computer.
In the long run, CAPTCHAs are doomed.
Reply to This
Parent
Worded questions? (Score:2, Insightful)
I thought the ideal captcha would be worded questions presented in the same image-like format as current captchas, e.g. "Two and Two makes?" or "The opposite of day is..?" Whilst the image recognition is now feasible, making a general system to solve this problem would be somewhat more difficult than just improved single-word captchas.
Annoyingly, however, the system to create such captchas cannot really be automated (in terms of creating the questions). So I suppose as long as the captchas are computer cr
Build a database of inputs and outputs (Score:3, Interesting)
Reply to This
Re: (Score:2)
It's worse than that: any captcha system can be cracked by humans. You can either pay lots of low wage workers or offer some reward (porn) for cracking captchas. I came up with a whole bunch of captcha-tech ideas that would require hard AI... and then realized it's a dead end tech anyway. There are plenty of people in the world willing to crack captchas for next to nothing. There's no way to tell a real user from a person who is just trying to abuse the system.
Something like recaptcha will stop lazy att
Re: (Score:2)
So if I open things in tabs and come back when I'm finished reading whatever I was reading, I'm guaranteed to fail the first CAPTCHA? Seems like a pretty good way to annoy visitors into leaving.
Pay captcha creators :) (Score:2)
So how about a system of paying captcha-creators $2/1000 captchas created? ;)
On a serious note, though, it seems that general knowledge is a better way to do it than simple word recognition...
Or, on the more imaginative side, what about classical music recognition. I don't know how good computers are at analyzing not just "Beethoven's 5th" but analyzing it amidst numerous recordings which all would have very significantly different waveforms. Unfortunately, music is neither universal (it'd have t obe coun
Re: (Score:2)
Actually music recognition seems like a task computers would be much better at than humans (rather, a program designed for just that task would be better at it than a random, off-the street human).
Re: (Score:2)
Wouldn't it have to do some pretty fancy waveform analyzing though, or a database of all the waves? There are a ton of different recordings of this or that well-known music piece.
Maybe recognition isn't based on the waveform.. I'm not sure what else it'd be though.
Re: (Score:3, Insightful)
Presumably the universe of tunes every internet user could be expected to know is quite small, so it would only be a matter of matching to that set. There's already an iPhone app (Shazam, I think it's called) that can identify ambient music and send you to the iTunes purchase link. That's presumably a much harder problem (a vastly bigger universe and probably poorer sound quality), and it's already been solved.
Cylon Detector (Score:3, Funny)
Reply to This
Suck it, Vernor & Kurzweil (Score:3, Insightful)
No one could ever predict that it would be spammers and porn merchants who would solve the hardest problems in AI.
Reply to This
maybe we could use pictures instead (Score:2)
Stop Comment Spam By Analysing the Actual Content (Score:2, Insightful)
Enough with the annoying captcha's stop comment spam by just analyzing the content.
Free and works well:
http://defensio.com/
I really hate (Score:4, Interesting)
Reply to This
Re: (Score:2)
Don't make them harder, make them different. (Score:2)
Ok, I will happily admit that I know bugger all about cracking CAPTCHAs, but one thing I have noticed is that most sites use their own version of a CAPTCHA, probably to make it harder to crack.
This must mean that sites are specifically targeted by the crackers, specific routines are probably made to maximise the chances of a successful "crack" against that site. So rather than just making them harder and more obscure (Thus making them harder for humans to read), why not just vary them by a great deal?
If an
COLORblind? How about BLIND blind? (Score:5, Interesting)
The idea is that humans are better at image recognition that computers, but humans can legitimately disagree on their interpretations and some humans are color blind.
COLOR blind? Some humans are BLIND blind. Others have various vision or vision processing impairments that would make meatware-visual-coprocessor-test CAPTCHAs reject them.
IMHO most CAPTCHAs are already and obviously violating of the Americans with Disabilities Act. So now, in the info-war between weapons and armor (which weapons always win anyhow), even more of us less-than-Aryan-Supermen become collateral damage.
Dogs are (allegedly) color blind and "... on the Internet nobody can tell you're a dog!". Well, maybe PEOPLE can't. But now the web applications can. B-(
The solution to being attacked by better weapons is not better armor. That's only a stopgap. The solution is to hunt down those who misuse weapons and make them incapable of or unwilling to continue.
Reply to This
I like how reCAPTCHA is the recommendation... (Score:3, Interesting)
...even though CraigsList uses reCAPTCHA and the article talks about a utility that helps spammers automatically post on CL.
Besides, it's fairly easy to set up a Mechanical Turk HIT for users to solve CAPTCHAs for a penny a piece. Assuming you make more than a penny per captcha solved, you're set. If not, make someone successfully solve more than one CAPTCHA per HIT submission.
Reply to This
OCR (Score:2)
The article focuses on OCR as the main problem. CAPTCHA can be broken by OCR, so reCAPTCHA uses text that OCR has already had trouble reading. Ok got it.
So why are they stuck on ASCII characters? Why not use obfuscated animal pictures? "Type one word that best describes the picture above." Answer: Zebra (Moose, Dog, whatever)
Why do they keep putting the right answer in the CAPTCHA? How about obfuscating "__ cups in a pint?" or "A Bakers Dozen is __".
I'm no CMU whiz, but
Re: (Score:3, Interesting)
But let me take another stab at it.
What if the question wasn't always "what is in the picture?"
Given a database of 1000 basic images like animals, shapes, fruits, and vegetables matched to the word for what each one is and it's catagory (animal, fruit, etc).. Now the CAPTCHA shows 6 of them in 6 little squares. (~985 quadrillion combinations) It can ask a nearly endless list of questions using simple formulae:
What is
Re: (Score:3, Insightful)
Who the hell knows that shit??? O_o
Google.
In other news, it's probably a bad idea to base a captcha on something Google will look up for you.
No workarounds? Really? (Score:2)
Captchas aside, aren't there other ways of preventing bots from registering multiple accounts? Instead of focusing on humans, how about focusing on the behavior of the bots. Do they change their IP address every time? Do they fill forms faster than humanly possible? Does any human register more than one account on your site? Do they enter random text or put in URLs where they shouldn't?
I still do not see any attempts to weed out the bots.
gmail captcha (Score:2)
hate it. hate it hate it hate it.
I have to set up gmail accounts periodically for users here and it takes me some fighting every time to make the account. The "wheelchair" icon makes it read it to you, and the idea of course is in case you are having problems with the picture you can listen to it. But it's like trying to make out what your friend is saying to you from the other end of a dance floor. I have yet to figure out what they're saying by the recording.
And if you miss the captcha too many times,