Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Audio CAPTCHAs Cracked; ReCAPTCHA Remains Strong

CmdrTaco posted more than 5 years ago | from the captcha-captcha-chameleon dept.

157

Falkkin writes "Ars Technica reports that audio CAPTCHAs consisting of only distorted digits or letters can be easy to crack using machine learning techniques. This includes most of the audio CAPTCHAs currently in use on the Web. The reCAPTCHA team has discussed their new audio CAPTCHA, which is resistant to this attack."

cancel ×

157 comments

Sorry! There are no comments related to the filter you selected.

I'm sick fo CATCHA (5, Interesting)

theaveng (1243528) | more than 5 years ago | (#26033059)

It was okay at first, but now it's reached the point where it takes me 3 or 4 tries to finally guess the letters.

It's become more hassle than it's worth. Isn't there a better way to stop bots from getting accounts?

Re:I'm sick fo CATCHA (4, Interesting)

LilGuy (150110) | more than 5 years ago | (#26033107)

It's almost gotten to the point where it's easier for the bots to guess the letters than for an actual human.

Reverse captcha?

Re:I'm sick fo CATCHA (2, Interesting)

Zebra1024 (726970) | more than 5 years ago | (#26035423)

Hmmm - Maybe a good idea for a Firefox add-on. It could "read" the CAPTCHA for you.

Re:I'm sick fo CATCHA (1)

TheRequiem13 (978749) | more than 5 years ago | (#26033131)

Yes, but we didn't think your mother would want to sleep with each person/cyborg who applied for an account.

Re:I'm sick fo CATCHA (5, Funny)

uglydog (944971) | more than 5 years ago | (#26033375)

trust me, his mom would be down for that. in fact, she handles multiple requests simultaneously. in the true multiple cores way, not the hyperthreading way

Re:I'm sick fo CATCHA (4, Funny)

Anonymous Coward | more than 5 years ago | (#26033665)

I'm trying to figure out what that translates to, but it's making my head hurt. So hyperthreading means she is "emulating" multiple "interfaces" with just one... Ow.

BTW, CAPTHCA for this post? "Receptor".

Re:I'm sick fo CATCHA (0)

Anonymous Coward | more than 5 years ago | (#26034939)

hyperthreading might be jerking off two guys, but only using one hand and so switching between the two guys.
multiple cores would be using one hand for each guy and jerking off both at once.

Re:I'm sick fo CATCHA (1)

uglydog (944971) | more than 5 years ago | (#26035369)

Actually, the GP brings up a good point. It should really be one hand emulating 2, to use your analogy. I'm not sure your analogy captures that. Maybe if she switched off fast enough?

Re:I'm sick fo CATCHA (5, Interesting)

socsoc (1116769) | more than 5 years ago | (#26033385)

A method I use is to put an input field with a name like "subject" in a contact form and then hide it via CSS. Then if that field is populated in the form submission, the server side drops the request.

It isn't the most accessible-friendly method in the world, but once I started doing this, all spam submissions dropped out. It's not foolproof and it's just another step in an arms race, but I agree that CAPTCHAs have gotten out of hand. They are especially confusing to people who are not tech savvy and don't know why they are trying to decipher a spirograph drawing in order to do something simple on your website.

Re:I'm sick fo CATCHA (5, Insightful)

X0563511 (793323) | more than 5 years ago | (#26033555)

Well, kudos for using CSS instead of javascript to hide it.

Re:I'm sick fo CATCHA (4, Insightful)

greatgregg (1106739) | more than 5 years ago | (#26033585)

This only works for small sites. Certainly the Yahoos and Googles of the world can't rely on something that can be broken with 2 minutes of hacking.

Re:I'm sick fo CATCHA (1)

hansamurai (907719) | more than 5 years ago | (#26034199)

Well, the Yahoos and the Googles of the world can afford better solutions than this. I deal with spam messages on my site that is pretty low traffic, and this seems like a great solution.

Re:I'm sick fo CATCHA (0)

Anonymous Coward | more than 5 years ago | (#26035491)

Well, the Yahoos and the Googles of the world can afford better solutions than this. I deal with spam messages on my site that is pretty low traffic, and this seems like a great solution.

Well that just means you are wrong and Not A Nerd and well, if you can't implement a steganography audio Turing Test then you should probably just pack up your little Kaypro and switch to making furniture. This may come as a shock to you, but many of us consider this to be common sense and some of us are your bosses!

Re:I'm sick fo CATCHA (2, Interesting)

lysergic.acid (845423) | more than 5 years ago | (#26035297)

meh... i haven't haven't had that hard of a time with CAPTCHAs. occasionally i might get one wrong and have to spend an extra 2-3 seconds to fill out another one, but i think properly implemented CAPTCHAs are still the most effective means of reducing spam submissions/sign-ups.

i don't think any kind of CAPTCHA will be completely fool-proof, and their effectiveness will inevitably drop over time. but even still they stop 99% of all attacks by blocking all but the smartest AI algorithms and spammers. and the reCAPTCHA method makes the most sense. they're taking problems that have already stumped machine AIs and using it to recover some public benefit from the hordes of botnets out there that would otherwise only be doing harm.

also, as more and more difficult machine AI problems are employed in common CAPTCHA systems, not only will it push AI development forward, but it will bring us ever closer to the point where spamming is no longer a logical career for the individuals actually smart enough to break such CAPTCHAs. if it takes a PhD in computer science & machine AI to break a standard CAPTCHA, then anyone with the ability to develop effective spambots would have much more interesting, or even lucrative, careers available to them.

short of this, the only way i see of attacking the spam problem is to go after the companies that hire spammers to advertise their products. the majority of the spam on the web is for products/services produced in the U.S., and these companies often have 800 numbers and accept payment by credit card. they operate out in the open and generally aren't fly by night companies. it's not like spam advertisements are selling black market goods like crystal meth or yellowcake uranium. they're all purportedly "legitimate" registered businesses with traceable bank accounts and public addresses & phone numbers. as long as businesses employing spammers are allowed to operate so brazenly without any legal repercussions, it will continue to be a mainstream practice. however, if you crack down on these scummy businesses then there'll be no money to be made by spammers, and hence no more spam.

Re:I'm sick fo CATCHA (1)

Instine (963303) | more than 5 years ago | (#26035371)

And for your blind users...?

Re:I'm sick fo CATCHA (3, Funny)

rhizome (115711) | more than 5 years ago | (#26035691)

And for your blind users...?

I'm not the poster you're replying to, but I have a guess at how this works.

First off, the blind person can't see, right? So the chances of them viewing source for a random page (or every form page they encounter) is probably pretty miniscule. At least I'll say it's comparable to the rate that sighted people view source as a matter of course in their browsing sessions.

So OK, they aren't just reading the source, finding a hidden form field and wondering why this hasn't been presented to them by their screen reader. They've just been checking news, blogs, posting a comment or two here and there, but nowhere in their Internet Travels have they had to contend with this curious case of a hidden "Subject:" field. What to do?

It turns out the answer is quite simple. That the blind person, much like their sighted counterpart, does not submit a given form with hidden fields filled in pegs them as a curious person indeed. Since the only submissions without the Subject field filled in will be from people who read the source and (for some reason) decided not to fill in the subject line, or people who just don't know about it. Quite the conundrum! Thankfully from the grandparent post, we know that posts with this hidden Subject: field are disposed of, deleted. Wacky, eh? So it seems, and I'm just speculating here, that filling in hidden fields is actually a way...hold on now...to determine that the submitter is not a person. Beyond that, and really

I have no idea how he does this, blind people are not treated any differently in this regard.
I know, right? It took me awhile to figure it out, but I think I at least have the gist of it.

Re:I'm sick fo CATCHA (0)

Anonymous Coward | more than 5 years ago | (#26035759)

Oh see, that's the part where he says not accessible friendly.

Re:I'm sick fo CATCHA (0)

Anonymous Coward | more than 5 years ago | (#26034011)

Yes: site owners moderate the comments etc. they get, and report spammers. And force ISPs and hosting providers to actually take action instead of playing the McColo and making money by assisting spammers.

My blog, with about 10,000 daily visitors gets only 20-30 comment spams a day. Somehow spammers blacklist your site, with help of hosting providers like keyweb.de who has put the IP/24 of my site in their firewall so the spammers they are harbouring can't annoy me anymore...

Instead of looking the other way (filtering, CAPTCHAs), people should actually start DOING something about it. Spammers are always a few steps ahead, and this will stay as long as we allow them our resources, and they get mostly away with it. Too many people make money with spam, and I don't mean spammers per se. If you can't get to the spammers, get to the hosting providers that help them. Plenty of those in the USA and Europe for starters...

Re:I'm sick fo CATCHA (1)

c0p0n (770852) | more than 5 years ago | (#26034619)

Not only that, there are lots of people that can read english no problem, and therefore register on english speaking sites, but that can't speak or understand spoken english.

Screen capture (4, Funny)

Dan East (318230) | more than 5 years ago | (#26033091)

I'm half afraid to admit this publicly, but did anyone else try clicking the "play" button on screenshot of the audio CAPTCHA player in the first article? I took me a few tries before I realized it was only an image.

It doesn't matter too much anyway... (1, Interesting)

nweaver (113078) | more than 5 years ago | (#26033101)

A CAPTCHA is only worth $.0025 to break down on the Chinese Turing farms. Thus since a CAPTCHA can only protect something worth $.0025 anyway, making it more crack resistant doesn't buy all that much.

Re:It doesn't matter too much anyway... (3, Interesting)

flux (5274) | more than 5 years ago | (#26033185)

If you can make it to a longer time for a human to crack it, it would increase the costs. Double the time, double the cost.

But, say, if it now takes 10 seconds to crack a captcha, it would need to take more than an hour to cost $1 per captcha :-).

I wonder how a web-of-trust system combined with more difficult captchas (more trust -> easier captchas) would work; if a branch of the web is a spammer, it's easier to cut off.. But, this must've been suggested even in this context already, so hit me with the "your spam protection idea doesn't work, because.." form ;-).

Re:It doesn't matter too much anyway... (2, Interesting)

poetmatt (793785) | more than 5 years ago | (#26033759)

Only until someone finds a way to make cracking the captcha more efficient and suddenly it is back to the original cost to crack the same captcha again. This is what that machine learning is all about.

Meanwhile, the problem is that this back and forth with captchas is essentially causing programmers who wish to break it, to come up with very complex AI.

At some point, if the AI is smarter than the person, as mentioned above people won't be able to crack the captcha.

On this very article the only reason this "captcha has yet to be cracked" is because they just brought it out. Once it gets attention, it'll be cracked like all the rest.

Re:It doesn't matter too much anyway... (1)

sakonofie (979872) | more than 5 years ago | (#26033955)

But, say, if it now takes 10 seconds to crack a captcha, it would need to take more than an hour to cost $1 per captcha :-).

Kinda makes one wonder if in the future establishing an online identity will have to be done through some meatspace interactions.

If one had to travel and wait in a line somewhere, it would massively reduce the number of accounts someone could make per day. Say that an attacker has n people willing to help them, what would the effect be of capping people to 30*n accounts per day? Less spam no?

This would also jack the value of the accounts up making attacks to steal or disable large numbers of accounts much more valuable. Compromising computers would also increase in value. There also probably a ton of other concerns (privacy etc.).

Re:It doesn't matter too much anyway... (0)

Anonymous Coward | more than 5 years ago | (#26033825)

The point of CAPTCHAs (at least in part) is not to protect against a single phony transaction but to raise the bar high enough that it's not worth the time for most people to do a large-scale break. Without CAPTCHAs, your site is vulnerable to automated attacks from every bored hacker out there. With CAPTCHAs, you at least have to put some money down on the Chinese sweatshops or something, which most bored script kiddies won't do. Basically, adding CAPTCHAs won't help stop a dedicated criminal organization, but it will stop the people who are hacking for the "lulz".

All the biggest sites on the Web use some form of CAPTCHA, so they must be good for something.

Re:It doesn't matter too much anyway... (0)

Anonymous Coward | more than 5 years ago | (#26034255)

I'm going to bet that it costs more than $0.0025 for a Chinese person to type in the part of an old radio broadcast that they hear. While it's cheap for them to transcribe letters, they aren't going to be able to hear the words unless they're well-trained in English.

dom

Re:It doesn't matter too much anyway... (1)

argiedot (1035754) | more than 5 years ago | (#26034933)

Just the other day I was trying to get a crack for a program* and I came across this site that wanted me to type in a CAPTCHA to download. The first thing I wondered was whether these CAPTCHAs were actually from a legit site like yahoo.com and they were serving it to me to get me to break it.

* Yes, sometimes you need the crack for programs to run properly on Linux through Wine. Sucks, no? I'm sorry guys, I contributed to spam.

hell (3, Funny)

nomadic (141991) | more than 5 years ago | (#26033151)

I'm a human being and I can't break audio captcha. Sounds like gibberish to me.

Re:hell (0)

yincrash (854885) | more than 5 years ago | (#26033233)

I did it just fine.

Re:hell (4, Insightful)

numbsafari (139135) | more than 5 years ago | (#26034061)

You're probably a bot.

Re:hell (1)

AntiGenX (589768) | more than 5 years ago | (#26033677)

I listened with my speakers and I couldn't understand either. Headphones improved this slightly. Also, some of the phrases seemed to have multiple speakers and I wasn't sure if I needed to transcribe both speakers words.

Re:hell (4, Funny)

Lobster Quadrille (965591) | more than 5 years ago | (#26034327)

Don't know what your problem is- I'm a perl script and I understood it just fine.

Give it up already (0)

qoncept (599709) | more than 5 years ago | (#26033225)

Why does anyone bother using captcha, or asking silly questions, or any of that anymore? Computers are better at it than people. Give it up, and just start banning hosts until something better comes up.

Re:Give it up already (4, Insightful)

compro01 (777531) | more than 5 years ago | (#26033415)

Banning that way doesn't work real well when you consider dynamic IPs, distributed attacks (bot nets), proxies, etc.

Unless you're willing to ban at least a third of the world, you're not going to get much out of that.

Re:Give it up already (1, Insightful)

X0563511 (793323) | more than 5 years ago | (#26033609)

Just let the spam flow and crap up everything. When everything is useless, perhaps they will give up.

Right now, they push tons of shit with the hope that the peak of it might show through. If all of it is seen, the volume might backfire.

It sure will suck for everyone though.

Re:Give it up already (1)

SkyDude (919251) | more than 5 years ago | (#26034853)

Unless you're willing to ban at least a third of the world, you're not going to get much out of that.

Yeah, but doing so will make admin-ing your site a whole lot easier. And. it's probably the third that no one likes anyway....

Re:Give it up already (1)

neoform (551705) | more than 5 years ago | (#26035111)

Ban? No, but if a given IP fails the captcha 10 times in 10 minutes, you can always blacklist the IP and auto-fail any further attempts from that IP for 24 hours..

Lets go back to human moderation (1)

Progman3K (515744) | more than 5 years ago | (#26033913)

I know it is a lot but you would need a valid e-mail to post, and administrator would need to follow up with you to OK your account, your registration e-mail would actually have to contain the actual reason of why you want to post, all posts would have to be moderated/verified before they became visible, ex...

I can hear you all protesting already: But what about anonymity, what about ease-of-use?

Yes, yes... But it IS the only way.

It's a price I'd be willing to pay to end the spam because as we have seen, most users are unable to keep their machines disinfected.

Re:Lets go back to human moderation (1)

berend botje (1401731) | more than 5 years ago | (#26034883)

I'm a member of a few forums (fora?) and mailing lists where you can only post when you have backing of two members. If you start spamming, you get kicked out and those two sponsors are kicked out. So far, with a few thousand members, there have been _two_ spams in total.

Re:Lets go back to human moderation (2, Interesting)

Progman3K (515744) | more than 5 years ago | (#26035451)

And if the posts were held before becoming visible, there wouldn't even have been one.

The community your are a member of seems to be near this level of completeness.

Having a few trusted reviewers who read all posts before letting them pass would be the last step.

People often complain about schemes like this that their messages need to be seen immediately so people can respond immediately but I say having two or three moderators would make the whole process pretty quickly anyway.

Remember when you used to mail things? THAT took time and the world STILL progressed.

REPATCHA strong? (3, Interesting)

RiotingPacifist (1228016) | more than 5 years ago | (#26033229)

i thought RECAPATCHA was susceptible, as if enough bots guess the same answer on an image they will make that a valid answer. Does this not work or has nobody bothered?

Re:REPATCHA strong? (2, Informative)

greatgregg (1106739) | more than 5 years ago | (#26033439)

This doesn't work because they distort the images different every time.

Re:REPATCHA strong? (5, Interesting)

Anonymous Coward | more than 5 years ago | (#26033445)

If you get it wrong, they'll temporarily start sending you captchas in which both words are known. The chances of a bot guessing both words correctly are minuscule.

audio captcha in office (1)

captainpanic (1173915) | more than 5 years ago | (#26033263)

In my crystal ball I see some fool who does not turn off the sound on the PC in an office. Unfortunately, history has shown that many people also still have digital camera's that make the *click* noise, so I have no hope that this will not disturb the peace.

Audio requred by law (5, Funny)

tepples (727027) | more than 5 years ago | (#26033433)

In my crystal ball I see some fool who does not turn off the sound on the PC in an office.

By law, offices of companies over a certain size must accommodate people whose disability requires sound to do their jobs.

Unfortunately, history has shown that many people also still have digital camera's that make the *click* noise

By law, camera phones must make the click noise when operated within some countries to help fight voyeurism.

Re:Audio requred by law (1)

X0563511 (793323) | more than 5 years ago | (#26033643)

By law, camera phones must make the click noise when operated within some countries to help fight voyeurism.

Yet more law with little real thought put into it.

How does that stop someone from wiring in a switch to bypass the speaker? Heck, if you use the right inductor instead of a straight bypass, the device couldn't even tell.

Re:Audio requred by law (0)

Anonymous Coward | more than 5 years ago | (#26034197)

the poster was just BS'n. There aren't any laws like that.

Re:Audio requred by law (5, Insightful)

Waffle Iron (339739) | more than 5 years ago | (#26033651)

By law, camera phones must make the click noise when operated within some countries to help fight voyeurism.

That's a great idea. However, we need a law for video cameras, too.

I propose that by law, each video camera must be equipped with a prominent hand crank, and shall only record while the crank is being turned. Furthermore, as added protection, people with video cameras must wear a beret and carry a conical megaphone at all times while operating said device.

Re:Audio requred by law (3, Funny)

Ihmhi (1206036) | more than 5 years ago | (#26035087)

I think forcing everyone who uses a video camera to dress up like a French cheerleader would fall under cruel and unusual punishment.

Re:Audio requred by law (1)

captainpanic (1173915) | more than 5 years ago | (#26033683)

In my crystal ball I see some fool who does not turn off the sound on the PC in an office.

By law, offices of companies over a certain size must accommodate people whose disability requires sound to do their jobs.

Unfortunately, history has shown that many people also still have digital camera's that make the *click* noise

By law, camera phones must make the click noise when operated within some countries to help fight voyeurism.

That is true, perhaps even in most European countries. However, fools that simply fail to turn off the sound are a lot more common than the disabled people requiring sounds on the pc to work. Also, note that I was not making a comment about traffic lights making ticking noises. Those are useful. But the average user does not require sound except for listening music or watching movies on a pc... and you can debate whether that is desirable at work. Reply is (slightly) off topic from main article. Apologies.

Re:Audio requred by law (0)

Anonymous Coward | more than 5 years ago | (#26035821)

Interesting because I just bought a new T-Mobile phone that has a camera phone and there's a setting to turn off the click sound.

Solution to AI research? (5, Funny)

ashp (2042) | more than 5 years ago | (#26033269)

They should just make a CAPTCHA that requires strong AI to crack; we could make a great leap ahead in AI by letting the spammers solve all the problems for us!

Re:Solution to AI research? (0)

Anonymous Coward | more than 5 years ago | (#26033537)

An incorrect answer would be a sure sign it was a human!

Re:Solution to AI research? (1)

Kuciwalker (891651) | more than 5 years ago | (#26033577)

Congratulations, you just came up with the inspiration behind ReCAPTCHA.

Re:Solution to AI research? (0)

Anonymous Coward | more than 5 years ago | (#26033611)

1. Make CAPTCHA that requires strong AI to crack
2. Let the spammers make strong AI
3. Skynet
4. ???
5. Profit!

Wait, OH SHI-

It will happen, says MIT Technology Review (1)

tepples (727027) | more than 5 years ago | (#26034087)

They should just make a CAPTCHA that requires strong AI to crack

The impression I got from this Technology Review article [technologyreview.com] is that your CAPTCHA will eventually happen. But a business using one of these might eventually run into a disability discrimination problem if the system confuses real people of below-average intelligence with bots.

Re:It will happen, says MIT Technology Review (0)

Anonymous Coward | more than 5 years ago | (#26034765)

If you're running a web forum, and your CAPTCHA excludes people of below-average intelligence, isn't that a feature?

Re:It will happen, says MIT Technology Review (1)

tepples (727027) | more than 5 years ago | (#26034953)

If you're running a web forum, and your CAPTCHA excludes people of below-average intelligence, isn't that a feature?

There are people who display below-average aptitude in some areas but above-average aptitude in other areas. If your CAPTCHA tests the former but your web forum is about the latter, you are discriminating. Besides, I said "business"; if you're making money, governments expect more inclusion from you.

Re:It will happen, says MIT Technology Review (1)

Ihmhi (1206036) | more than 5 years ago | (#26035123)

Keeping people of below-average intelligence off of my website? That doesn't sound like discrimination, that sounds like reduced costs and maintenance in tech support.

Make CAPTCHAs relevant (1)

tepples (727027) | more than 5 years ago | (#26036019)

Keeping people of below-average intelligence off of my website? That doesn't sound like discrimination, that sounds like reduced costs and maintenance in tech support.

It's also reduced costs and maintenance not to repair your wheelchair ramp. As I wrote in my other post [slashdot.org] , one can be a genius at one subject but (to put it mildly) less than a genius at another; your CAPTCHA has to measure competence in the subject at hand. For example, how many people not immersed in African-American culture could pass BITCH-100 [wikipedia.org] ?

Re:Solution to AI research? (1)

Lobster Quadrille (965591) | more than 5 years ago | (#26034371)

You say that in jest, but the fact is that spammers are already leading the field- captchas are getting more and more complicated because the bots are getting smarter.

Instead of Captcha (1)

Rik Sweeney (471717) | more than 5 years ago | (#26033289)

Why don't they use DHTML and JavaScript to simulate the 3 cups and 1 ball game? You'd start off with the ball in the middle cup and then it could mix the cups up and you have to pick the right cup. Audio would be supported too:

"Keep your eye on the ball! Follow it! Don't watch the other cups, just the one with the ball in it!"

Re:Instead of Captcha (1)

cleatsupkeep (1132585) | more than 5 years ago | (#26033791)

Because then any spam bot would have a 1 in 3 chance of getting it correct. And then if you try to scale if up to 100 cups and 1 ball, then it would not be feasible for even a human to follow.

Re:Instead of Captcha (1)

maxume (22995) | more than 5 years ago | (#26033999)

If it was widely deployed, bots would simply simulate the correct response, either by inspecting the javascript objects, or simply ripping the response out of the source text (depending on how hard the scripter worked to keep the answer secretz).

Re:Instead of Captcha (1)

cleatsupkeep (1132585) | more than 5 years ago | (#26034075)

Yeah, that's a good point too. A lot of these "self thought up" Captcha schemes might work well on one or two sites, but when you talk about deploying to sites like Google and Yahoo (huge spam bot targets), a lot of them become infeasible.

Re:Instead of Captcha (0)

Anonymous Coward | more than 5 years ago | (#26034063)

Or maybe a CAPTCHA based on "2 girls, 1 cup", using your webcam to capture the reaction? Kind of like the Voight-Kampff test [wikipedia.org] .

Ad disguised as news (2, Insightful)

ouder (1080019) | more than 5 years ago | (#26033299)

Isn't this just an advertisement for ReCAPTCHA disguised as a news item?

Re:Ad disguised as news (1, Interesting)

Anonymous Coward | more than 5 years ago | (#26033775)

ReCAPTCHA is a 100% free service provided by CMU. They don't directly benefit from its usage, so why would noting its merits be bad in any way?

RECAPTCHA (5, Insightful)

EddyPearson (901263) | more than 5 years ago | (#26033357)

People crack CAPTCHAs for profit. They either sell the algorithms to spammers or spam themselves.

The thing is, if you managed to reliably crack RECAPTCHA, then you've succeeded where all the best OCR software on the market has failed (All Recaptcha's are words that couldn't be deciphered by existing software). At which point there's big bucks to be made legally selling the software.

Re:RECAPTCHA (1)

S3D (745318) | more than 5 years ago | (#26034397)

The thing is, if you managed to reliably crack RECAPTCHA, then you've succeeded where all the best OCR software on the market has failed

I don't think so. For spammer 10% of success is a reliable CAPTCHA crack, but for OCR it's a failure.

Has Anyone Tried? (0)

sceo (1058316) | more than 5 years ago | (#26033371)

I just tried on the recaptcha site and got about a dozen WRONG. I didn't get any right! What gives?

Re:Has Anyone Tried? (0)

mikecslashdot (1106815) | more than 5 years ago | (#26033437)

It worked for me. I just typed in what I heard and got 5 right in a row.

It's too secure... (0)

Anonymous Coward | more than 5 years ago | (#26033387)

I tried 5 times in a row and I can't figure out any of the audio CAPTCHA's from the ReCAPTCHA site either.

where's my universal translator then? (1)

pbhj (607776) | more than 5 years ago | (#26033417)

So, "machine learning" can now translate any speech in any language to text. Where's my universal translator then?

Re:where's my universal translator then? (2, Informative)

Xest (935314) | more than 5 years ago | (#26033951)

I don't really understand how translating from speech into text is equal to translating from speech to text in a different language.

I could listen to every word you say and write it down no problem, but ask me to translate it into Japanese or something and I wouldn't have a clue.

You only have to look at games like Endwar to see how good speech recognition has gotten, it requires no calibration (well, maybe a word or two at the start) and has yet to fail me once and it seems to work for people with many different accents.

That said, Endwar does use specific commands so I suppose it could be a somewhat simplified scenario in that if the command words are selected sensibly there is no overlap in commands sounding nearly similar, but regardless even much of the voice reconigtion software for dictating documents etc. out there now does a great job with little to no training now.

Re:where's my universal translator then? (0)

Anonymous Coward | more than 5 years ago | (#26035321)

It creates text, but it doesn't know the meaning of the text. Most likely it is simply looking for phonemes and putting them together. If the CAPTCHA was "sesquipidalian", you wouldn't have to know what it means to be able to type the word into the textbox.

Ask questions (0)

Anonymous Coward | more than 5 years ago | (#26033575)

Why not have them ask questions like "what is three plus 4 times twelve - 7?" or what have you, if the ai can crack those we'll have made a lot of progress.

Re:Ask questions (1)

joshuao3 (776721) | more than 5 years ago | (#26033757)

Let's see:

(3+4) * 12 - 7 = 77
3 + (4*12) - 7 = 44
(3+4) * (12-7) = 80

I was thinking more along the lines of showing a row of animals, fruits, cars, etc, and having the audio say "click on the 2nd blue car after the 1st rabbit, counting from the left".

Re:Ask questions (1)

Tony Hoyle (11698) | more than 5 years ago | (#26034025)

That's going to go down well with colour blind users.

It's probably along the right lines though... use something that you need an english language parser to make sense of.

Re:Ask questions (2, Informative)

Paradigm_Complex (968558) | more than 5 years ago | (#26034617)

One of the requirements is that there will be an extremely large number of possible questions (and answers) to keep attackers from making a small database for every question or simply brute forcing it too quickly. As a result it is preferable not to need human interaction to create the question/answer sets. Varying pictures of animals/etc are not something computers can generate on their own, but would require human beings to collect. The amount of additional manpower needed using such a method over what we use today is substantial... too much.

Re:Ask questions (1)

johnny cashed (590023) | more than 5 years ago | (#26035215)

(3+4) * (12-7) = 80

Perhaps I missed something, but I thought that 7 * 5 = 35 Not 80.

Re:Ask questions (1)

Ihmhi (1206036) | more than 5 years ago | (#26035177)

This [google.com] is why. All a CAPTCHA bot would have to do is run a google search.

It would be difficult to have a sufficiently random math-based CAPTCHA scheme that couldn't be cracked by Google's calculator.

Back to Old School Methods of Verification (4, Insightful)

Ron Bennett (14590) | more than 5 years ago | (#26033607)

Captchas are user unfriendly and relatively ineffective.

A more effective route is to require a new user to submit their postal address and a phone number. Then the service mails a post card containing a verification code to the postal address and/or calls the phone number. Google does this for AdSense publishers.

Ron

Re:Back to Old School Methods of Verification (1)

Tony Hoyle (11698) | more than 5 years ago | (#26034049)

The day a forum does this I stop posting on them. It's irritating enough having to register without having to wait 2 days for the post to arrive before I can reply.

Re:Back to Old School Methods of Verification (1)

Literaphile (927079) | more than 5 years ago | (#26034085)

"Want to download this file? Fill out the form and wait for us to send you a post card first."

I don't think so...

Re:Back to Old School Methods of Verification (1)

berend botje (1401731) | more than 5 years ago | (#26034991)

Man, that's a flashback to the days of BitFTP! :-(

Re:Back to Old School Methods of Verification (1)

petermgreen (876956) | more than 5 years ago | (#26034177)

Captchas are user unfriendly and relatively ineffective.
For smaller operations they are very effective provided you have the sense to roll your own. For larger operations traditional captchas don't work so well but recaptcha which uses challanges sourced from real old books and seems to be on to a winner.

A more effective route is to require a new user to submit their postal address and a phone number. Then the service mails a post card containing a verification code to the postal address and/or calls the phone number. Google does this for AdSense publishers.
More effective certainly but relatively expensive and even more user unfriendly than a captcha. Would you want to give out your address or phone number just to say post on a forum? Anyway it's not as though getting phone numbers is difficult, I know a VOIP provider where signup is free and while they ask for an address they don't do anything to verify it.

ultimately no system is perfect, it is just a matter of taking steps that provide usefull benifit (reducing the impact that abusers have) at an acceptable cost (both in terms of direct cost to the operator and inconvinance and perceived risk for users)

Re:Back to Old School Methods of Verification (3, Interesting)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26034643)

One thing we could do more of(though it is not without risks of its own) would be looking at getting the account as only the first step, rather than the last. For instance, some free webmail service could rate limit new accounts to only X emails/hour, or change an account's rate limit according to how spammy its outgoing messages look(or, within a given service, how often other members mark that account's mail as spam). On forums, you could do the same in response to other user's moderation of posts.

This would work relatively poorly for high value things like bank accounts (though high value stuff can be handled by more expensive means, like phone confirmation) but it could be quite useful for low value things like webmail accounts. The task of sorting humans from bots on a single computer generated task is getting ever harder, particularly if you need to make a binary yes/no decision on the spot; but giving an account greater or lesser resources according to how human its activity looks is much more tractable. It won't be perfect; but it should reduce the value to spammers of the accounts they do get.

Re:Back to Old School Methods of Verification (1)

petermgreen (876956) | more than 5 years ago | (#26035047)

For instance, some free webmail service could rate limit new accounts to only X emails/hour
The trouble is that kind of measure is largely useless if you don't limit the rate at which abusers can get new accounts. If a new account can only send 10 emails per hour and the abuser wants to send 10000 emails per hour they just need to get 1000 accounts.

So to be effective such measures need to be used in addition to measures against bots creating accounts, not instead of them.

Re:Back to Old School Methods of Verification (1)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26035531)

As you say, such measures only make sense if you can limit new account rates. I merely propose it because it is something that you can add on, which substantially reduces spamming efficiency, without making CAPTCHAs even more difficult. I suspect that, for most webmail type services, reducing the spam value of an account by half without undue impact on users would be trivial. Reductions of 90% might well be doable with a little pain for new users. In terms of spam per unit time, a 90% reduction in account value would be equivalent to a CAPTCHA that is 10 times harder to crack, without making the CAPTCHA any more hostile. Very much a hackish incremental arms race type of solution; but still useful.

Re:Back to Old School Methods of Verification (1)

0100010001010011 (652467) | more than 5 years ago | (#26034407)

My bank does this with a text message. "I don't recognize this computer. How would you like to authenticate yourself?

Text To: XXX-XXX-0001
Voice To: XXX-XXX-0001"

It usually comes through in seconds.

Re:Back to Old School Methods of Verification (1)

basicio (1316109) | more than 5 years ago | (#26034477)

There are several reasons this a terrible, terrible idea.

Do you really want to wait a week or two to be able to sign up places? No, didn't think so.

Do you really want to give your telephone number and address to every website you visit regularly?

AdSense is a whole different ballgame here. Google is running a business, and so can afford the relatively small price of postage/cost of running the phones to make the calls, and since it's a business transaction you're exchanging money and so knowing addresses/phone numbers of the parties you're dealing with is necessary, and waiting a week or so if necessary isn't unrealistic.

But that's not a use condition comparable to most of the places where captchas are used.

Why are CAPTCHAs so stupid? (1)

dingen (958134) | more than 5 years ago | (#26033635)

Why don't they put some logic in CAPTCHAs which is easy for a human to understand, but impossible for a bot to get right?

Instead of having to repeat what is on your screen or speakers, you could ask the user a simple question to verify if the user is indeed human. You could for example ask the color of something, or ask for the user to do a simple calculation and post the results. You could also give four objects and ask which one doesn't belong with the other three.

This would mean that a bot would have to understand the question in order to give the right answer, which is a lot harder to achieve than simply repeating what is displayed.

And as an extra added bonus, if these type of CAPTCHAs are also cracked, then at least we'll have some major breakthrough in AI development.

Re:Why are CAPTCHAs so stupid? (0)

Anonymous Coward | more than 5 years ago | (#26033859)

1 in 4 objects. That means the bots have a guaranteed 1 in 4 chance of being right. A 25% success rate is actually pretty good even for decent bots and a cracked captcha.

Most things that become very hard in AI are inherantly hard for humans to do and so the captcha is just a block to a service.

I actually have a customer who wants captcha on their website but is moaning it is too hard to read the words. They want something that is just as hard for a bot to break but easy for a person. They also don't seem to get that one web developer is not better than most of the academic world and I can't come up with much better off the top of my head.

Re:Why are CAPTCHAs so stupid? (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26034053)

The tricky bit with CAPTCHA is not just asking questions that are easy for humans and hard for AI. There is a huge field of well known stuff, common sense, basic knowledge, etc, etc. that would work. The problem is asking questions that are easy for AI to ask, easy for humans to answer and hard for AI to answer.

If you have to manually populate your CAPTCHA, you have a problem. It costs just about as much(in money and time) to manually document a set of CAPTCHA questions as it would to build the set. If you can't generate questions automatically, your CAPTCHA will be expensive, or useless, or both. RECAPTCHA is interesting in that is a something of a hybrid. It makes use of real world complexity, from scanned documents; but largely automates the conversion of real world complexity into CAPTCHAs, which makes it fairly practical to use at a large scale.

Re:Why are CAPTCHAs so stupid? (2, Funny)

bendodge (998616) | more than 5 years ago | (#26034995)

Is this why handwriting won't work? Fancy elderly handwriting is especially hard to read. OCR software is rather helpless against it. (I propose hiring retired people to write words sloppily and scan them!)

Re:Why are CAPTCHAs so stupid? (1)

Ihmhi (1206036) | more than 5 years ago | (#26035383)

I'm assuming that CAPTCHA stores the correct answer in such a way that it can't be directly read by a bot - the CAPTCHA has to be solved.

Why don't they just use CAPTCHAs that ask questions that are artistic, subjective, etc.? Smoe examples, using pictures I searched for on flickr:

1) What color is this fruit [flickr.com] ?

2) What kind of animal is this [flickr.com] ?

3) How many rungs are on this ladder [flickr.com] ?

All questions that would be easy for a human to ask but are subjective enough that it would be difficult for a computer to answer them.

We could even go for outright trickery, such as this one: How many dogs are in this picture [flickr.com] ? (Acceptable answers: zero, 0, none, no dogs, etc.)

And just for shits and giggles, we can randomly include letters in pictures to confuse the Hell out of CAPTCHA readers.

The only thing I wonder about something like this - would having multiple possible answers make a CAPTCHA like this stronger or weaker?

This wouldn't solve the CAPTCHA farmer problem, but I think it would solve the bot problem.

Re:Why are CAPTCHAs so stupid? (1)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26035887)

The problem with your proposed CAPTCHAs is generating them and scoring them. Writing a program that can look at pictures and ask meaningful questions, in natural language, about them would be crazy difficult. A matching program to take natural language answers and score them for correctness would be equally unpleasant.

In essence, for a computer to ask a CAPTCHA question about a picture, it has to be able to analyze the picture and ask a decent question about it, and then interpret the result. For a computer to answer a CAPTCHA question about a picture, it has to interpret the question and the picture, and give a decent answer. Those are virtually identical problems(in terms of the image processing and natural language AI that would be needed in each case). To be a good CAPTCHA, creating problems has to be far easier than answering them.

Re:Why are CAPTCHAs so stupid? (1)

imikedaman (1268650) | more than 5 years ago | (#26035289)

Why don't they put some logic in CAPTCHAs which is easy for a human to understand, but impossible for a bot to get right?

And while we're at it, why don't we come up with a cure for Cancer that leaves the healthy cells alone, but eradicates the Cancer cells completely!

(psst, you do realize that you just described the ultimate goal of CAPTCHAs, right? Saying it is one thing, but actually doing it is something else entirely.)

You could [...] ask for the user to do a simple calculation and post the results.

That was already solved years ago by OCR software, and distorting the numbers and symbols wouldn't work since we already have software that recognizes distorted symbols better than we do.

You could also give four objects and ask which one doesn't belong with the other three.

Even a random number generator would be right 25% of the time. One goal of CAPTCHAs is to effectively remove the possibility of simply guessing the correct answer. Asking for a color would have the same problem, as there are a limited number of colors that have well-known names. It'd be bypassed in milliseconds.

Instead of having to repeat what is on your screen or speakers, you could ask the user a simple question to verify if the user is indeed human.

That would require a massive database containing hundreds of thousands of questions that are all easily answerable by any English-speaking average Joe and contain all acceptable synonyms. Even a simple and specific question like "what do people normally sleep on" should accept answers like bed, hammock, couch, blankets, and mattresses, and could still easily be cracked by a simple relational database that finds pairings between keywords (like "sleep" and "bed"). You can't demand more complex sentence structures in the answers either since that would only make it increasingly harder for the user to figure out the exact structure and words the server expects them to use.



I think what you don't realize is that all spammers have to do is reach an acceptable (usually very low) success rate for it to be considered cracked. After all, they can attack your CAPTCHA system endlessly using a whole army of computers with IP address spoofers. They are well aware that their system can afford being wrong a few hundred times in a row as long as it gets one right every once in a while.

Unfortunately, that means that even the best of your suggestions would be cracked within hours.

ni6ga (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26034307)

of progrees. conversations where
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?