Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Now Even Photo CAPTCHAs Have Been Cracked

timothy posted more than 5 years ago | from the given-enough-eyeballs dept.

Spam 340

MoonUnit writes "Technology Review has an interesting article about the way CAPTCHAS are fueling AI research. Following recent news about various textual CAPTCHAs being cracked, the article notes that a researcher at Palo Alto Research Center has now found a way crack photo-based CAPTCHAs too. Most approaches are based on statistical learning, however, so Luis von Ahn (one of the inventors of the CAPTCHA) says it is usually possible to make a CAPTCHA more difficult to break by making a few simple changes."

cancel ×

340 comments

damn it (5, Insightful)

ThorGod (456163) | more than 5 years ago | (#25369419)

They're already hard to read. Why do I feel that soon I wont be able to read ANY of them!?

Re:damn it (5, Funny)

Abstrackt (609015) | more than 5 years ago | (#25369645)

Don't worry. Apparently there are programs that can read them for you. ;)

Re:damn it (5, Funny)

Philip K Dickhead (906971) | more than 5 years ago | (#25369971)

These programs are Satan's rectum, poised to let loose over the web.

Re:damn it (1)

Smidge207 (1278042) | more than 5 years ago | (#25370221)

Satan's rectum

goatse.cx?

=Smidge=

Re:damn it (5, Funny)

electrictroy (912290) | more than 5 years ago | (#25370169)

So CAPTCHA images are ineffective at blocking the bots. No surprise. It won't be long before these AIs start joining Yahoo or Google mail for the same reasons we do: Chatting.

tiredbot&yahoo.com : "Boy I had a rough day at work today. My user wanted me to compile a new program AND surf the internet at the same time!"

spamalot@gmail.com: "Wow rough. I was lucky. My user took the day off, so I just spend the day spamming. I love how those humans react - sending me hategrams. hahahahaha! That just makes me want to send more spam! Fools."

tiredbot&yahoo.com : "You are so bad girl."

Re:damn it (5, Funny)

Soft Cosmic Rusk (1211950) | more than 5 years ago | (#25370563)

It's just a matter of time before we start seeing reverse CAPTCHA's: Text that is so hard to read that only a computer can do it. If you copy the text correctly you are a spambot.

Re:damn it (-1, Troll)

OeLeWaPpErKe (412765) | more than 5 years ago | (#25369867)

So you are worse at proving that you're human than at least a few computer programs.

I'd say it says something about you, but the sad thing is, it doesn't. In fact I know few people over 55, or under 16 or-so* that are even capable of proving they're human. Soon we will all be worse than computer programs in proving that we're human ...

* I mean average people. Sure, geeks have little issues

Heh, should give "astroturfing" a totally new dimension. I see the academics salivating at their newfound "influence". Being able to drown out real humans in any debate will certainly not improve webboards. I mean, say "bushitler", or "islam is peace", is a stupid meme now, believed only by idiots, but some don't let that deter them in pushing it. What if they push it with computer programs 10000-programs-to-1-human ?

Do we start botwars ? I remember those from irc, and they drown out real conversation even more, reacting to eachother.

At the very least they kill the option of accepting new members into a channel/forum/community.

And never mind what will happen once these bots walk around and look like this [youtube.com] . "Too ghastly to think about".

Heh, at least then we can all have "suicide bombers"**, without that tedious convincing unrealistically gullible idiots or the kidnapping extortions business that seems to be required today.

** actually muslims once comitted a "suicide bombing" campaign in Thailand using RC cars (just strap some dynamite and ball bearings on top of that in them, then get very close), while that's RC, not robotics, it would not be the fist "robotic" attack. That one attack failed, but was already very, very troubling. Another muslim was arrested in the U.S. for developing a suicide UAV bomber. Wonder what the future holds ! I can't wait.

Re:damn it (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#25370161)

Are you this paranoid and racist in real life, or just online?

I guess there's only one way to find out. Parent's real name is Christophe Devriese [drupal.org] . His email is Christophe.Devriese@student.kuleuven.ac.be [mit.edu] and he attends Katholieke Universiteit Leuven.

Still feel like publishing your insane ramblings?

Re:damn it (5, Insightful)

D'Sphitz (699604) | more than 5 years ago | (#25370005)

Try being colorblind sometime. I've had several that I had to take a screenshot of, paste into photoshop and play with the contrast until i could read it. And even the ones without problem colors like red and green usually take several tries.

Re:damn it (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25370121)

How does it feel being a corner case?

Re:damn it (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#25370307)

How does it feel being a virgin slashdotter in mom's basement?

Re:damn it (5, Interesting)

Beardo the Bearded (321478) | more than 5 years ago | (#25370069)

Ah-hah! I've got the answer to our CAPTCHA problems:

We just make them so hard that it becomes impossible for a human to solve it. Then we invert the solution: if you pass the CAPTCHA, you're obviously a bot, because a human can't solve it. FAIL the CAPTCHA, we know that you're human.

Re:damn it (0)

Anonymous Coward | more than 5 years ago | (#25370493)

Ah-hah! I've got the answer to our CAPTCHA problems:

We just make them so hard that it becomes impossible for a human to solve it. Then we invert the solution: if you pass the CAPTCHA, you're obviously a bot, because a human can't solve it. FAIL the CAPTCHA, we know that you're human.

I like it!

Re:damn it (1)

petehead (1041740) | more than 5 years ago | (#25370609)

While you are being funny, there is solid foundation behind your joke. With CAPTCHAs, we are using computers to identify humans. We should be using them to identify other computers.

CAPTCHAs kick-start Singularity (2, Interesting)

wild_berry (448019) | more than 5 years ago | (#25369423)

I'm sure I read a short story somewhere that featured the spam-bot arms-race triggering the singularity...

Re:CAPTCHAs kick-start Singularity (4, Funny)

pitchpipe (708843) | more than 5 years ago | (#25369555)

If only we could get them to work as hard at improving the products they are hawking as they work on sending their spam, I'd be rich as hell with a giant penis!

Re:CAPTCHAs kick-start Singularity (1)

Telvin_3d (855514) | more than 5 years ago | (#25369577)

No idea if it is the one you are thinking of, but that scenario is mentioned in Cory Doctorow's story 'I, Row-boat'

Re:CAPTCHAs kick-start Singularity (2, Interesting)

CRCulver (715279) | more than 5 years ago | (#25369627)

I too can't exactly recall who thought that up, but there are other references to the spam wars in general leading to the singularity. A few years ago Tim Boucher wrote a blog post [timboucher.com] jokingly asking if through spam the Internet was trying to communicate with us.

On the other hand, Venor Vinge sees spam [wired.com] as a sign we're not anywhere close to the glorious singularities that he conjured up in novels like A Fire Upon the Deep [amazon.com] .

Re:CAPTCHAs kick-start Singularity (2, Informative)

compro01 (777531) | more than 5 years ago | (#25370205)

Sounds like the premise to /usr/bin/god [wikipedia.org] to me.

Re:CAPTCHAs kick-start Singularity OR,,, (1)

Nom du Keyboard (633989) | more than 5 years ago | (#25370229)

I'm sure I read a short story somewhere that featured the spam-bot arms-race triggering the singularity...

or Skynet!

(Of course if Skynet can give us intelligent self-willed robots like Cameron, that might not be such a bad thing.)

Re:CAPTCHAs kick-start Singularity (3, Funny)

Tablizer (95088) | more than 5 years ago | (#25370237)

I'm sure I read a short story somewhere that featured the spam-bot arms-race triggering the singularity...

Oh sh8t, now I have to protest *both* the LHC and captcha's. Thanks, bub.
       

I don't get it (4, Interesting)

ilovegeorgebush (923173) | more than 5 years ago | (#25369467)

To detect humans, wouldn't it be easier and less costly, and perhaps even more effective, to hold a large database of questions that are readable and solvable only by humans?

Asking simple math or site-relevant questions are not only easier for humans (I'm talking about "What's 5 - 3") to read, but they're harder for automated parsing by software to crack.

Re:I don't get it (5, Funny)

Lord Pillage (815466) | more than 5 years ago | (#25369523)

Or better yet, after a dozen tries at the captcha allow entry into the site because obviously if it was a script trying to break the captcha it would have been successful by then.

Re:I don't get it (4, Insightful)

JeanBaptiste (537955) | more than 5 years ago | (#25369537)

Asking simple math or site-relevant questions are not only easier for humans (I'm talking about "What's 5 - 3") to read, but they're harder for automated parsing by software to crack.

How do you figure that would be harder for automated parsing software to crack? I would think that would be many times easier than to ICR an image that is purposely obfuscated. (I used to work on ICR software and I'd rather write an automated-question-parser)...

Re:I don't get it (1)

ilovegeorgebush (923173) | more than 5 years ago | (#25369795)

My example was crude, but wouldn't the AI behind parsing a question (it could even be obfuscated by bad grammar, locale-specific or 1337-ing it) have to be more intelligent than picking 5 or so characters from an image? I'm not knocking the difficulty or intelligence behind writing software to read images, but surely there's more understanding required to parse a question, than to read pixels (yes I'm demonstrating my shocking ignorance around ICR)?

I run a small forum for an MMO, and we solved the issue of spam bots by doing exactly what I'm suggesting.

Re:I don't get it (4, Insightful)

liquidpele (663430) | more than 5 years ago | (#25370051)

Even the simplest tricks work until your site is specifically targeted by people who know what they're doing. Your system works fine (and many others would too) for your site, but would not for gmail, yahoo, etc.

The reason is, a captcha has to have a ruleset. You can't just display a graphic and a textbox and not explain to (or make it very obvious) what the person is supposed to do. For that reason, people can make bots that take advantage of the parts of the system that never change.

If you have a system that asks math questions, they'll write a spam bot that parses the question, does that math, and gets through. You'll make it a little harder, they'll adjust their bots for that. It's an arms race.

The holy grail of course is to find something that humans can do easily, but is impossible (or very very unlikely statistically) for a program to be able to do.

Re:I don't get it (4, Insightful)

blueg3 (192743) | more than 5 years ago | (#25369551)

You have to consider the source of the questions. If the questions are human-generated, it's not economically feasible. Remember that they can train their CAPTCHA-defeating software by paying large numbers of people to supply the answers to CAPTCHAs. Even a very large database could fall to that approach.

If the questions are machine-generated, then you're pitting a machine generating questions and answers against a machine designed to answer questions.

Re:I don't get it (1)

zappepcs (820751) | more than 5 years ago | (#25369769)

Well, you have a point, but there are other ways, and no single way should be seen as the silver bullet. For example:
damnit, I had a really good reply, but it contained too many junk characters... go figure

Get the questions from the users (3, Interesting)

John Hasler (414242) | more than 5 years ago | (#25370023)

How about asking every nth person successfully logging in to generate a question? Apply a lameness filter and then perhaps ask another randomly chosen user to verify that the question is reasonable. Reject duplicates and questions that too many people can't answer.

Re:I don't get it (1)

VeNoM0619 (1058216) | more than 5 years ago | (#25370451)

All you need is a society created element (attractiveness, cuteness, is this a lot/or is this a little?)

Something like KittenAuth [thepcspy.com] has been recommended, and still seems to be the best answer in my opinion.

This can be taken to randomly selected animals, not just cats. If someone develops an AI that can determine what type of an animal each is, then GOOD, we are one step closer to AI. Next would be cuteness/hairy looking/ugly/happy looking/etc. for each random animal. Just keep going a step further.

Any words or phrases with questions can eventually and easily be broken (hell, write your script to google search for the answer to the captchas)

Re:I don't get it (1)

TorKlingberg (599697) | more than 5 years ago | (#25370619)

The problem is that you cannot generate pictures of kittens automatically. If you have a database of pictures an attacker can pick a few hundred of your kitten pictures manually and then have his spam-bot reload until on the known pictures comes up. A 1% success rate may me more than enough for a spammer who wants to register Gmail accounts.

Re:I don't get it (1)

mmalove (919245) | more than 5 years ago | (#25370561)

This suddenly feels very relevant to the earlier discussions on Turing Tests. What we need is a computer that can accurately determine whether it is communicating with another computer or a human. That's what a captcha attempts to do - by using visual recognition as a function that a computer cannot replicate. Problem is - a computer CAN perform visual recognition, with increasing accuracy. And while 15% may not win any prizes, it's plenty to perform brute force attacks.

I don't know - maybe a traditional Turing test isn't good enough. Considering that any question that we deem is the silver bullet question - once it's been answered in a way that we're satisfied determines its a human response what's to stop you from programming it into a computer? If you blacklist that answer from being acceptable on further renditions of the question, the human you just passed a minute ago would fail if he retakes the test, unless the previous test somehow significantly alters him.

Re:I don't get it (4, Funny)

El_Muerte_TDS (592157) | more than 5 years ago | (#25369757)

Good idea. Here are a few questions to start with:
1) What is the best editor: Vi or Emacs?
2) Was there a cabal?
3) Did Romero make you his bitch?
4) Rick Astley would never: give you up; let you down; run around and desert you; make you cry; say goodbye; tell a lie and hurt you?

Re:I don't get it (5, Interesting)

Abstrackt (609015) | more than 5 years ago | (#25370049)

The best security I've seen on a sign-up form was "if you're a human, please leave this field blank". Bots tend to fill in all fields, so this already goes a long way towards filtering them out.

You can even take this approach one step further and use CSS to move the field outside the viewable range of the page or set its visible property to false so the user won't even see it.

Re:I don't get it (4, Insightful)

TorKlingberg (599697) | more than 5 years ago | (#25370489)

Works for your personal site, not for Yahoo.

How about (5, Interesting)

Rik Sweeney (471717) | more than 5 years ago | (#25369507)

Instead of asking someone to type in the letters, numbers or how many cats there are in the photo, just randomly generate some scenario:

"Jim and Sue go to the park on Sunday. Billy the dog goes too."

Then you can ask random questions like:

"What is the name of the dog?"
"What day did they go to the park?"
"Where did they go?"

That might work OK for a while...

Re:How about (3, Insightful)

pla (258480) | more than 5 years ago | (#25369759)

Instead of asking someone to type in the letters, numbers or how many cats there are in the photo, just randomly generate some scenario:

That would work wonderfully, if you could truly randomize it (by which I don't mean anything so stringent as neutron sources or the like), rather than using a library of question templates.

The problem, though, you need a better quality of AI to generate arbitrary easy-but-obscure questions as you do to solve them... Keep in mind you need questions that anyone with a 3rd-grade education could read and solve, which limits you to simple grammar, small words, concrete ideas, and no math harder than addition, subtraction, and inequality. Modern AI can already parse and solve those problems fairly well.

So, you end up using a library of question templates, and once an attacker has seen enough of them, he can reliably fill in the blanks and arrive at a deterministic answer, no massive CPU power or cool AI required.

Re:How about (1)

BigGar' (411008) | more than 5 years ago | (#25369883)

It's like an entrance exam. If you can't pass this simple test you can't play here, go home.

Re:How about (0)

Anonymous Coward | more than 5 years ago | (#25370545)

I'm all in favor of an entrance exam for the internet. How soon can we implement it?

Re:How about (4, Insightful)

Hatta (162192) | more than 5 years ago | (#25369915)

Keep in mind you need questions that anyone with a 3rd-grade education could read and solve

Why? Personally, I'd prefer to participate in forums that require a college level education to participate in.

Re:How about (3, Funny)

Tanktalus (794810) | more than 5 years ago | (#25370543)

And you're participating in slashdot because...?

(Oh, I suppose that there probably is no such forum...)

Re:How about (1)

pdxp (1213906) | more than 5 years ago | (#25370189)

Keep in mind you need questions that anyone with a 3rd-grade education could read and solve, which limits you to simple grammar, small words, concrete ideas, and no math harder than addition, subtraction, and inequality.

Personally, I'd rather not have stupid people signing up on my site.

Re:How about (0)

Anonymous Coward | more than 5 years ago | (#25370363)


Personally, I'd rather not have stupid people signing up on my site.

... unless you have revenues from advertisements.

Re:How about (1)

Amouth (879122) | more than 5 years ago | (#25369761)

that is one of the best ones i have seen in a while..

and if we stick some math ones in we might keep the kidds off too.. it's a win/win

(i have mod points and would have modded you +ins but it doesn't seem to want to work today)

Re:How about (3, Insightful)

sunking2 (521698) | more than 5 years ago | (#25369923)

Oh please, a parser from a 1985 adventure game could figure this out :). You have a few nouns and a few verbs and adjectives. How many questions could you possibly ask from the first sentence? probably less than a dozen. At worst you have like a 1:6 or so chance of picking the right noun to try. If asked to do it this is probably one of the simpler things to accomplish. Creating a parser that can read at a 2nd grade level isn't all that hard.

Re:How about (0)

Anonymous Coward | more than 5 years ago | (#25370279)

A hollow voice says, "Cretin."

Re:How about (1)

nabsltd (1313397) | more than 5 years ago | (#25370583)

OK, so that's 1 in 6 that get past it. With not much work, you could make it a lot harder. Using a bit of the original example:

"Jim and Sue go to New York on Sunday. Billy the dog goes too. Did they seen the Astros play at home?"

By adding in current events and some very well know facts (which admittedly will exclude some people), you can really make it difficult.

Then, use the fact that this is not in isolation. Always fail the CAPTCHA if the HTTP client doesn't send the right cookie, which it got from the page that refers you to the page with the CAPTCHA. If the CAPTCHA fails, then fail any CAPTCHA attempt that uses that cookie for some timeout.

If you generate the cookie based on the IP address and some random values, and store it in a database linked to the source IP address, then any cookie from that IP address will work (which solves the proxy issue). The cookie timeout and "failed CAPTCHA" timeout are the same, and set them such that it is too long to be worth it for spammers (like 5 minutes).

Also, if the service being signed up for isn't e-mail, require an e-mail verification. With that, you can also force the user to enter an e-mail address and the CAPTCHA answer in the same form, and if an e-mail address is used in a failed CAPTCHA, don't allow it to be used again until a timeout. And, you can make the e-mail verification so that sometimes the user has to open a link from the e-mail, and sometimes just reply to the e-mail, and only one of these would work for that particular verification.

Any one of these things won't solve the problem, but all of them will slow down spammers so much that they shouldn't be able to beat you in the arms race.

Re:How about (1)

SwordsmanLuke (1083699) | more than 5 years ago | (#25370075)

Actually, that's already been possible for computers to do for awhile. Many AI programs have already been trained to extract information from context in stories and be able to answer just the sort of questions you're asking.

Re:How about (1)

allolex (563588) | more than 5 years ago | (#25370101)

It's not that difficult to do with the correct software--there are some really good question answering systems out there. http://en.wikipedia.org/wiki/Question_answering [wikipedia.org]

Re:How about (1)

MyLongNickName (822545) | more than 5 years ago | (#25370223)

Parse through each word of the sentence and fill in the blank. Shouldn't take too long.

Re:How about (1)

Tanktalus (794810) | more than 5 years ago | (#25370601)

If the questions are truly random *and* you only get one crack at a time (the scenario, question, and thus answer, change each time you hit 'submit'), it might take a bit longer for an AI to learn. Throw in some fun CSS and Java script for generating the actual text such that it doesn't appear verbatim in the actual HTML code, and you make things even more fun. Add to that layers such that the text merely shows up because of overlapping div tags so that even if you do have a CSS and JS engine working on the spam machine, it will basically need screen-reading software to parse it out, and you've gone a long way toward making their lives painful.

Of course, the downside to that is for the visually impaired. *sigh*. Mind you, if the rest of your site is all Flash anyway, that's not really a problem. :-)

when... (4, Insightful)

cosmocain (1060326) | more than 5 years ago | (#25369515)

...will we learn that, if there's a fundamental flaw in a protocol, there's no way we can prevent it from being abused. every measure will sooner or later have its counterpart and fail.

Why are all the stories posted by only 4 people (0, Offtopic)

petes_PoV (912422) | more than 5 years ago | (#25369521)

Looking back over the past 18 stories I got on the front page of /. There are only 4 different authors cited. Surely more people in slashdot-land have a handle on newsworthy events.

It it that people just can't be arsed to submit stories, or is there a clique at work here?

Re:Why are all the stories posted by only 4 people (0)

Anonymous Coward | more than 5 years ago | (#25369649)

I see a lot more submitters than that... You wouldn't be looking at the 'Posted by' section, would you?

Yes, I guess that the editors are kind of a clique...

Re:Why are all the stories posted by only 4 people (1)

petes_PoV (912422) | more than 5 years ago | (#25369843)

Yeah, that's what I'm looking at:

Posted by timothy on Tuesday October 14, @03:14PM

from the given-enough-eyeballs dept.

Really, no-one cares who the editors are (do they?) I was assuming that the name under "Posted by" was actually the name of the person who came up with the story. That would be much more helpful than the same old, irrelevant, names that get inserted into the headers.

Re:Why are all the stories posted by only 4 people (0)

Anonymous Coward | more than 5 years ago | (#25369663)

6/10
Those people are editors. They pore through various submissions from users like you [pbs.org] and see if they are truly newsworthy and post them here attributing the original submitter.
You're an idiot.

Not a security feature (4, Interesting)

lb746 (721699) | more than 5 years ago | (#25369567)

CAPTCHA is not a security feature. It's a way to help avoid robots pretending to be humans. Anyone using it as a security feature is just giving more reasons for people to find ways to break them.

All in all, it's time to get rid of CAPTCHA and move on to some more logical system that would be more difficult, such as a system where users are asked to answer a simple question that contains the answer, such as:

If you were born in 1973 and JFK was shot in 1961, were you alive when he was shot?

How many liters of water fit into a five-liter bottle?

Re:Not a security feature (3, Insightful)

Chris Mattern (191822) | more than 5 years ago | (#25369637)

Of course CAPTCHAs are a security feature. Unless you have some irrational hatred of robots that inspires you to bar them from your websites, you're trying to keep them out for security reasons.

Re:Not a security feature (5, Insightful)

Abstrackt (609015) | more than 5 years ago | (#25369717)

CAPTCHA is not a security feature. It's a way to help avoid robots pretending to be humans. Anyone using it as a security feature is just giving more reasons for people to find ways to break them. All in all, it's time to get rid of CAPTCHA and move on to some more logical system that would be more difficult, such as a system where users are asked to answer a simple question that contains the answer, such as: If you were born in 1973 and JFK was shot in 1961, were you alive when he was shot? How many liters of water fit into a five-liter bottle?

It sounds like a great idea, but I've met plenty of people who wouldn't be able to answer either of your questions. To steal a random quote from the internet:

"Back in the 1980s, Yosemite National Park was having a serious problem with bears: They would wander into campgrounds and break into the garbage bins. This put both bears and people at risk. So the Park Service started installing armored garbage cans that were tricky to open -- you had to swing a latch, align two bits of handle, that sort of thing. But it turns out it's actually quite tricky to get the design of these cans just right. Make it too complex and people can't get them open to put away their garbage in the first place. Said one park ranger, "There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists."

Re:Not a security feature (3, Insightful)

Tablizer (95088) | more than 5 years ago | (#25370031)

[bear-proof trashcan] Said one park ranger, "There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists."

To be fair, the bears have more time to figure out the can. A tourist will just toss the trash on the ground if it takes more than a minute to open the can. The bear, on the other hand, may spend hours if it smells something good.

Re:Not a security feature (1)

Anonymatt (1272506) | more than 5 years ago | (#25370053)

Funny story. Animals are so persistent! Ever had a really groovy hamster escape from a cage a bunch of times?

Re:Not a security feature (1)

panda (10044) | more than 5 years ago | (#25370183)

Then consider it a stupid filter for the 'net. If you can't answer those questions, then maybe, just maybe you shouldn't be posting on Internet forums, either.

Re:Not a security feature (1)

Abstrackt (609015) | more than 5 years ago | (#25370249)

The fact that your user name "panda" is just priceless.

I'm on to you, Mr. Bear.

Re:Not a security feature (0)

Anonymous Coward | more than 5 years ago | (#25370347)

Well, it would still be worth it to require spammers to go out and hire bears rather than hiring botnets.

Re:Not a security feature (2, Insightful)

camperdave (969942) | more than 5 years ago | (#25369729)

How many liters of water fit into a five-liter bottle?

Hmm... That depends. How much water is in the five liter bottle to start with?
Is there anything else in the bottle?
Does it have to be a whole number of litres?

Assuming an empty bottle, and integral numbers of litres, the following can fit: 0, 1, 2, 3, 4, and 5.

Re:Not a security feature (1)

HexOxide (1375611) | more than 5 years ago | (#25370081)

Don't forget to mention manufacture discrepancies. How accurately measured is the bottle? Does it hold EXACTLY five liters? Or 5 liters give or take a few milliliters? Plus I thought bottles always held a little bit extra than what the label states as to allow for air bubbles etc, and the volume on the bottle label actually referred to the volume of whatever is contained within the bottle upon purchase ^_^

Re:Not a security feature (5, Funny)

Anonymous Coward | more than 5 years ago | (#25370091)

Well, I think we have a capcha to prove someone is a lawyer.

Re:Not a security feature (1)

octal666 (668007) | more than 5 years ago | (#25370269)

You have either passed or failed the Turing test, I'm not sure yet.

Re:Not a security feature (2, Insightful)

Anonymous Coward | more than 5 years ago | (#25370453)

If you have three apples and you take one apple away, how many apples do you have?

Correct answer: 1 (The apple you have. The one you took away and therefore 'have')

Correct answer: 2 (The remaining apples viewing the operation as a mathematical subtraction - expected answer from a child)

Correct answer: 3 (You have three apples. Movement does not imply a change of ownership)

Correct answer: 4 (More tenuous, but no assumption should be made that 'one apple' came from the initial set of 'three apples')

What do you mean...? (4, Funny)

dirtsurfer (595452) | more than 5 years ago | (#25370469)

African or European water?

Re:Not a security feature (5, Funny)

Anonymous Coward | more than 5 years ago | (#25369733)

> If you were born in 1973 and JFK was shot in 1961, were you alive when he was shot?

I have developed a device that answers random yes/no questions correctly 50% of the time. Me and my flip-a-coin-bot will take over the world!

Re:Not a security feature (1)

OglinTatas (710589) | more than 5 years ago | (#25369751)

Hell's library is filled with story problems. No thanks.

Re:Not a security feature (2, Insightful)

spyrral (162842) | more than 5 years ago | (#25369767)

How many of these questions would you have? Suppose you spent the time to make 1000 or 10,000. The attacker would simply have them solved by a group of humans (say using Amazon's Mechanical Turk) and put the question/answer pairs into a dictionary for automated attacks.

Re:Not a security feature (1)

Rayeth (1335201) | more than 5 years ago | (#25369777)

Why exactly are those questions harder for a computer to break? It seems to me that those might even be easier. Unless you're planning on submitting entire paragraphs and then forcing people to do reading comprehension tests (which admittedly might increase the number of people everywhere who RTFA), this doesn't seem like a better alternative.

Re:Not a security feature (1)

Archangel Michael (180766) | more than 5 years ago | (#25369799)

Here's the problem, I wasn't born in 1973 so the question is negated right there, but the answer is still "no" (negated questions are always "no").

Additionally, JFK wasn't shot in 1961, it was 1963, so the question is negated twice.

I was born in 1964, but conceived about the time Kennedy was shot, so was I "alive" or not?

The correct answer to such a question is ... The cake is a lie!

Now for the next question, there is again a level of ambiguity that is left to the imagination of the person answering. Is the five liter bottle filled with water already? Is it empty? Somewhere in between? What if the five liter bottle has holes in it?

Okay, I'm being slightly ridiculous, but you get the point. Having played with the Turing Test computers recently, they can't hold a conversation, because they don't hold onto previously answered questions, unless they've been programmed to.

The Turing Machines are very good at mimicking human like responses to questions, which means any form of captcha will eventually be added to a Turing type machine. It will always take a human to ferret out the robots, and even that won't be perfect.

Cue up BladeRunner to see where all this is going to go.

Re:Not a security feature (1)

sexconker (1179573) | more than 5 years ago | (#25369803)

The typical human will be stumped by those questions.

Re:Not a security feature (1)

Tablizer (95088) | more than 5 years ago | (#25369805)

...it's time to get rid of CAPTCHA and move on to some more logical system that would be more difficult, such as a system where users are asked to answer a simple question that contains the answer, such as: If you were born in 1973 and JFK was shot in 1961, were you alive when he was shot? How many liters of water fit into a five-liter bottle?

To be a replacement for captcha's, they'd have to be automatically generated in mass. I suspect that if a computer is smart enough to generate such questions, then it would be smart enough to also answer.
   

Re:Not a security feature (0)

Anonymous Coward | more than 5 years ago | (#25369983)

My solution is to use a moderate CAPTCHA (simple math problem mixing numbers spelled out and ones displayed with numerals) then relying on Akismet or another spam filter.

Re:Not a security feature (2, Interesting)

corsec67 (627446) | more than 5 years ago | (#25370003)

If you were born in 1973 and JFK was shot in 1961, were you alive when he was shot?

How many liters of water fit into a five-liter bottle?

That is also a CAPTCHA [wikipedia.org] , "Completely Automated Public Turing test to tell Computers and Humans Apart." A CAPTCHA doesn't have to be text in an image, that is just an easy test to auto-generate.

And, it fails the "solve problems for porn" test. The problem is spammers using real people to do stuff en-masse, so any kind of CAPTCHA wouldn't prevent that.

Re:Not a security feature (0)

Anonymous Coward | more than 5 years ago | (#25370139)

How much wood could a woodchuck chuck if a woodchuck could chuck wood?

Re:Not a security feature (0)

Anonymous Coward | more than 5 years ago | (#25370219)

The second question is somewhat useful but easy to solve if used frequently without variations. The first one is unusable - if we use yes/no questions for CAPTCHAs then bots only need to answer yes and get in half the time without even looking at the question.

g
 

Re:Not a security feature (1)

nizo (81281) | more than 5 years ago | (#25370315)

If you were born in 1973 and JFK was shot in 1961, were you alive when he was shot?

What if you believe in reincarnation????

Just use a full-fledged turing test (0)

Anonymous Coward | more than 5 years ago | (#25369583)

Oh wait... [slashdot.org]

Not really broken (1)

Rik Sweeney (471717) | more than 5 years ago | (#25369591)

Even though the software can recognise the cats 87% of the time, you need to input 12 pictures, so the chance of the attack succeeding drops to 10%.

You could probably make this even harder by putting a cat and a dog in a photo and telling the user to pick photos that ONLY have cats in them.

Re:Not really broken (1)

Thelasko (1196535) | more than 5 years ago | (#25369673)

Even though the software can recognise the cats 87% of the time...

On a side note, I'm currently using this technology to automate the process of herding cats. [youtube.com]

Re:Not really broken (1)

John Hasler (414242) | more than 5 years ago | (#25370335)

> ...the chance of the attack succeeding drops to 10%.

10% is good enough for the spammers.

Re:Not really broken (1)

compro01 (777531) | more than 5 years ago | (#25370353)

o the chance of the attack succeeding drops to 10%.

Which is still plenty high. Remember, automated spamming is very cheap, so you don't need a very high success rate for it to be profitable.

I thank you for yuour time (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25369653)

rules are This [goat.cx]

Ofcourse it's possible:But is it doable by humans? (3, Interesting)

anomnomnomymous (1321267) | more than 5 years ago | (#25369655)

"...says it is usually possible to make a CAPTCHA more difficult to break by making a few simple changes."

Yes, it's possible: But keep in mind that you also have to serve the USER. When the captcha is getting so hard I can't even decipher it anymore (let alone someone with a visual handicap), it's of no use.

I stopped using Rapidshare because of its ultra annoying 'mark the cats'-captcha: I found it near-impossible to get that right (though the other day I noticed changed that back to ordinary letters).

Reverse Turing Test? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25369711)

If humans cannot design a CAPTCHA that computers can't break, but it's trivial to design a CAPTCHA that's easy for computers but impossible for humans to do in the time limit (simple arithmetic with really big numbers), then surely computers are smarter than humans, right?

Re:Reverse Turing Test? (1)

HexOxide (1375611) | more than 5 years ago | (#25369977)

And yet where would the computers be if the humans hadn't set the up and programmed them in the first place? But anyway half the sites I find using these annoying, and hard to read CAPTCHAs usually don't(Immediately anyway) seem to need them in the first place. They more seem to be a cool feature to add on rather than a preventative measure that is actually necessary. So many sites DON'T use them and get along just fine, CAPTCHAs are just frustrating to legitimate users, and getting harder and harder to deal with. Plus they also seem to me like the kind of challenge a lot of people would get off on trying to solve just because they're there? Hell, I might even look into it now >.>

That's bad news (0)

Anonymous Coward | more than 5 years ago | (#25369891)

All of this scientific research has caused one thing... making it potentially easier for spammers to successfully pass thru the captcha checks. Now when do researches finally start on doing the reverse - figuring out a scheme that holds them off?

I am tagging this haha (1)

Vexorian (959249) | more than 5 years ago | (#25369933)

I mean, fuck the motherfuckers! I hate captchas, and the better they are breaking them the better for me, with some luck we'll stop having these silly things... Really, they are even using captchas as an excuse to force you to enable javascript on sites, not to mention how difficult to read these things are and how much of a waste of time they are...

Cost Puzzle (1)

Tablizer (95088) | more than 5 years ago | (#25369935)

[from article] ...it's not clear that any common CAPTCHAs have been broken by machine attack in the real world...However, von Ahn notes that using humans comes at a cost. Even if workers are paid just $3 per 1,000 CAPTCHAs, that is expensive, he says,

It's probably more like 30-cents in the 3rd world. I don't think it would be possible for even a machine to significantly beat that rate. The energy to "run" a human is roughly comparable to that of a computer running AI-ware. Plus, the cost of the cat-and-mouse AI software adjustments that a human-based approach doesn't need.

One may say that 3rd-world IP addresses can be filtered or better monitored, but its easy to mask such via remoting screen control etc.

Single Sign On! (1)

lymond01 (314120) | more than 5 years ago | (#25370047)

One password and authentication repository for all, handled by a single entity. Or, to paraphrase:

"Nuke the site from orbit. It's the only way to be sure."

But, spammers ARE humans! (4, Interesting)

Wyck (254936) | more than 5 years ago | (#25370079)

Well, it seems to me that spammers ARE humans. So trying to detect if the creator of the account is human or not doesn't separate the spammers from the non-spammers.

Think about it: the authenticating machines are designed by humans, and the perpetrating machines are also designed by humans, and the legitimate users are humans too.

Perhaps the problem itself needs to be restated: Allow accounts to legitimate users, deny accounts to spammers. Whether or not there is a human involved on either end seems irrelevant.

- Wyck

Foolproof system (0)

Anonymous Coward | more than 5 years ago | (#25370165)

I think CAPTCHAs should show images from goatse, tubgirl, 2g1c, etc..

Surely the human reaction to these images would be unique.

Get Over It (0, Offtopic)

Nom du Keyboard (633989) | more than 5 years ago | (#25370197)

What we need for fraud-resistant voting and fraud-resistant registration is a national, if not world-wide identity certificate that we can present at the polling booth or interface with our computers for registrations, age checks, and online purchases. Get over the fact that proving who you are is going to result in the downfall of freedom as you know it and accept the fact that this identity card/document will remain under your personal control on when to present it (when you need to positively identify yourself) and when you don't (sorry Officer, but I left it at home because I'm not required by law to carry it at all times). Do you really want some snot-nosed college kid who hasn't paid a dime of taxes in his entire life undoing your vote and dozens of your neighbor's votes because he registered 73 times and now intends to vote for every one of those registrations -- and thinks he's doing a great thing by it?!

Fair elections is the very foundation of a democratic society and everything that preserve One (Wo)Man One Vote Only(!) is a step in the only right direction. It's a shame that voter ID laws only exist in a couple states and look who cries out against them every time. (Clue: people who benefit by massive voter fraud.)

This can be worked out folks and we'll be better for it, whether in actually fair elections, or the decrease in spam and other crapware that captchas and other methods use to try and authenticate users to prevent. Anonymity in all circumstances Is Not a Right. (Neither is Health Care a "Right" as one candidate has very incorrectly proclaimed. Rights are delinated in the Constitution for the United States, and other governing documents in other countries, and free national Health Care is not on that list.) If you have an over the top determination to preserve your anonymity then there are simply some places you cannot go (e.g. legally cross an international boarder) and some things you cannot do (e.g. fly on an airline these days). Once we get over it and realize that a person needs to be able to prove who they are, and that other people and institutions are not out of line in demanding to know who they're dealing with so that they can make the informed decision on whether or not to continue dealing with that person then a lot of the problems, spam, identity theft, terrorism (which thrives on anonymity) will be much reduced to the full benefit of the majority of us who don't actively profit from preying on our fellow humans.

Collaborated security passing (1)

ZeroExistenZ (721849) | more than 5 years ago | (#25370285)

So, why then, don't we think out some learning phases we need to build a really good AI and stepwise implement them as capcha's?

Ofcourse they will be cracked eventually, so why not use the challenge constructively?

Each time a new captcha algorithm is cracked, we could use a next phase and end up with a true AI, in a collaborated effort with "the evil crackers". Each time utilizing an aspect of "human intelligence" which we cannot teach a computer yet, and have someone desperate solve a captcha challenge, solving the problem of emulating a cognitive ability, one at the time?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...