Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Building a Better CAPTCHA

Soulskill posted more than 5 years ago | from the we-have-the-technology dept.

Security 197

jcatcw writes "Steven J. Vaughan-Nichols reports that CAPTCHA cracking isn't that difficult these days. It has even become a business. For example, DeCaptcher.com will solve CAPTCHAs for your spamming needs at a rate of $2 per 1,000 successfully cracked CAPTCHAs. In response, newer systems are in development. Both Carnegie Mellon and Penn State (is there something about the water in PA?) are working on image-based systems. ESP-PIX and SQ-PIX both require the viewer to interpret pictures. Imagination CAPTCHA from Penn has the user find the center of an image. The idea is that humans are better at image recognition that computers, but humans can legitimately disagree on their interpretations and some humans are color blind. Problems remain. For now, sites would be well advised to look at reCAPTCHA — the system that works with Google Books and the Internet Archive to digitize printed texts — which comes with a wide variety of application and programming plug-ins and an open API."

Sorry! There are no comments related to the filter you selected.

Indecipherable (5, Insightful)

Bordgious (1378477) | more than 5 years ago | (#26583363)

I know _I_ often have trouble seeing those... Maybe some sort of an animated .gif would be better?

Re:Indecipherable (3, Funny)

multisync (218450) | more than 5 years ago | (#26583419)

I know _I_ often have trouble seeing those... Maybe some sort of an animated .gif would be better?

Me too. Wanna go halfers on 1000 CAPTCHAs?

Re:Indecipherable (1)

RichardJenkins (1362463) | more than 5 years ago | (#26584975)

decaptcha.com is just a middle man for a mechanical turk style service, right?

Re:Indecipherable (3, Insightful)

Harik (4023) | more than 5 years ago | (#26585071)

pretty much. It's outsourcing your captcha solving to impoverished third-world solvers. So really, there's nothing they can do to make Capchas better - humans ARE solving them, it's just an economic imbalance being exploited.

I use it because I'm sick of capchas everywhere and it's dirt cheap. I figure if we break them bad enough people will stop trying dumb technical solutions to social problems. (spam)

Youtube captchas are terrible. (2, Insightful)

zymano (581466) | more than 5 years ago | (#26583387)

I speak for everyone. Captchas SUCK.

Get rid of them.

Re:Youtube captchas are terrible. (1)

Goaway (82658) | more than 5 years ago | (#26583443)

Well, you go get rid of the spammers, and we will.

Re:Youtube captchas are terrible. (1)

sexconker (1179573) | more than 5 years ago | (#26583933)

Captchas aren't stopping spammers.

Re:Youtube captchas are terrible. (2, Insightful)

Goaway (82658) | more than 5 years ago | (#26585097)

Yes, they are. They are not stopping all spammers, but that is very different from not stopping them at all.

Re:Youtube captchas are terrible. (0)

Anonymous Coward | more than 5 years ago | (#26584539)

What spammers?

Build a system that's not spammable. (2, Interesting)

SanityInAnarchy (655584) | more than 5 years ago | (#26584743)

I'm not sure how, yet, but I want people to start thinking about it this way.

Just like DRM.

See, with DRM, start with the assumption that all DRM can and will be cracked, and that all software and media can and will be pirated. Your challenge, then, is to make the legitimate product provide at least the quality and value of the pirated copy (something most DRM'd solutions fail miserably at), and ideally make it desirable enough that your price starts to seem reasonable, even when the alternative is "free".

So, the same applies to CAPTCHAs. Start with the assumption that all CAPTCHAs can and will be cracked, even if "cracking" means "using Mechanical Turk and/or a real sweatshop to have humans crack it". Now, start thinking in terms of economics. Build a system which doesn't have sufficiently good payoff for cracking it for anyone to bother -- a system which, by its very nature, can't be spammed.

If you can at least get it to where the only waste is bandwidth and disk space, you're doing pretty good. That's about my current spam situation -- it's a statistical filter which operates on the entire message, but it works incredibly well.

Until then, an automated hack that seems to work well, at least to stop blog spam, is to require AJAX, and send a bit of programmatically generated (but always different) JavaScript, and verify that it was executed. This will stop most automated systems until they start specifically targeting you with embedded Javascript engines. Next: Make it computationally expensive, so that they have to use a botnet if they're to get any real results.

Re:Build a system that's not spammable. (1)

Harik (4023) | more than 5 years ago | (#26585099)

Given that spammers are using botnets NOW, what exactly are you going to accomplish by requiring everyone to burn CPU cycles just to post a comment? There's 5-10 million zombies out there, on some pretty fast machines spread out over millions of unique IPs at any given time.

Please, don't suggest something stupid AND already obsolete, we might get saddled with it.

Re:Youtube captchas are terrible. (0)

Anonymous Coward | more than 5 years ago | (#26583651)

Youtube has captchas?

Re:Youtube captchas are terrible. (0)

Anonymous Coward | more than 5 years ago | (#26583687)

Youtube has captchas?

Yes if you post too many comments (I think it's 15 or so in a short period of time) you'll be asked to enter the text from an almost impossible to read captcha.

Re:Youtube captchas are terrible. (1)

ushering05401 (1086795) | more than 5 years ago | (#26583875)

Seems like a stop-gap maneuver to buy some time against the crap flood.

A few days ago I had to get a hold of someone through a popular social network that I don't normally use. I asked another person to come look at the captchas the site was giving me before allowing me to send each message. The captchas were not just hard to read... the first letter was completely unintelligible to the point that I wasn't even sure there was a letter present beneath the obsfucating distortions.

At first I thought that some changes to my desktop package might be causing some sort of rendering issue, but i tried the link to load another puzzle and the second puzzle was simple to decode at first glance.

So I proceeded with my conversation across this social network and the same thing happened every time. Unreadable first captcha, simple second one.

Dying Technology (5, Insightful)

EdIII (1114411) | more than 5 years ago | (#26583407)

The idea is that humans are better at image recognition that computers

C.A.P.T.C.H.A - Completely Automated Public Turing test to tell Computers and Humans Apart.

This is a dying technology.

1) Computers and synthetic systems in general are ONLY going to get better at doing anything a human can do. I mean anything.

2) Humans are a substitute for our lack of a synthetic system to solve a CAPTCHA.

A CAPTCHA has two answers to it's owner. This is a Human and this is a Computer. Humans can be hired to solve CAPTCHA at economically viable rates to meet the demand with a supply. Computers are catching up at being able to solve various CAPTCHAs creating an "arms race" between developers and those that need to crack CAPTCHA automatically with high throughput.

The window for this technology to be effective in its use is shrinking rapidly and it will only be a matter of time before it is nearly impossible to tell without phsyical inspection what is a synthetic human reponse and an actual one.

Re:Dying Technology (4, Informative)

Goaway (82658) | more than 5 years ago | (#26583473)

Humans can be hired to solve CAPTCHA at economically viable rates to meet the demand with a supply.

Not in general. For high-value targets, yes. For spamming blog comments, no.

Re:Dying Technology (1)

Eudial (590661) | more than 5 years ago | (#26584039)

Humans can be hired to solve CAPTCHA at economically viable rates to meet the demand with a supply.

Not in general. For high-value targets, yes. For spamming blog comments, no.

Except that cracking one blog system CAPTCHA cracks all blogs with that system's CAPTCHA. Which makes anything but custom software (that Joe Sixpack wouldn't know the first thing about building) a high-value target.

Re:Dying Technology (3, Insightful)

Dhalka226 (559740) | more than 5 years ago | (#26584335)

Using a human being to solve a CAPTCHA is not "cracking" the CAPTCHA, nor does it make the next blog or even the next CAPTCHA any less secure. If the CAPTCHAs are actually successful enough that the only solution is to hire third-worlders to do them for you, a large part of the battle is already won.

Will it stop all spam? No. Will all spam ever be stopped? Nope, so let's take what we can get while we can get it.

Re:Dying Technology (1)

jd (1658) | more than 5 years ago | (#26583783)

Well, computers are still pretty crappy at herustics, whereas the human brain is much better. Non-computable problems cannot be solved by a computer at all.

Let us take a theoretical CAPTCHA. This CAPTCHA uses optical illusions to create images in the brain that do not appear on the screen. These illusions are not, however, contained within a single image but an animation that is rapidly flipped through, exploiting persistence of vision to include the elements of the images you actually want and to exclude elements of the image introduced as deliberate noise.

This CAPTCHA is not pre-generated and pulled from a dictionary, but is generated at time of use from an effectively infinite pool of possibilities.

What I have described to you as a CAPTCHA system is not far removed from how John Logi Baird's colour TVs worked. This is not new stuff, and if some half-forgotten inventor in the days of thermionic valves could produce entire TV shows by this method, any website should be able to generate such CAPTCHAs using a high-end modern computer with a fraction of the effort.

However, could a computer solve such a CAPTCHA? Algorithmically, probably not. The information has been distributed in time as well as space, and simple line-removal code won't help you figure out what is signal and what isn't.

You could use algorithms to raytrace each layer of the data via a model of the computer screen and eye, apply the aliasing effects within the eye, then filter out the noise, but you're now talking one or two hours per CAPTCHA - well above the timeout most websites have. Because there's no dictionary and there are an effectively infinite number of permutations for the same output, you cannot take shortcuts or buy a CD with pre-rendered solutions.

Computers will equal humans on such a system the day that the Turing Test is truly passed, but no computer will ever out-perform a human on this style of CAPTCHA, because the human brain is simply far far too good at the sort of parallel processing tasks required.

Re:Dying Technology (1)

retchdog (1319261) | more than 5 years ago | (#26583909)

Your description is vague (perhaps intentionally so), but I'm skeptical nonetheless.

The persistence-of-vision hurdle is easily jumped, by tuning a decay function to interpolate across the animated gif so that it looks like the appropriate single frame. Note, this only has to be done once.

This leaves the optical illusions. Again, there are really only so many of these, and they can be pattern-recognized and classified as whatever they represent. You can stick them together in any combination but this just adds a segmenting problem. Both of these problems have already been solved for standard captchas (where there is the extra problem of those lines connecting letters, in order to make the segmentation harder).

Re:Dying Technology (2, Insightful)

AaronLawrence (600990) | more than 5 years ago | (#26584603)

And:
3) As you make it harder to solve for computers, you also make it harder to solve for humans.

Since current CAPTCHAs are getting quite difficult for humans to solve, the process has already reached it's limit. Facebooks captchas are difficult enough for me that I have to ask for a new one 5-10 times to get one I'm fairly sure of.

This one involving optical illusions is absurd, there will be large numbers of people who can never get it right.

Re:Dying Technology (1)

Lazyrust (1101059) | more than 5 years ago | (#26584835)

1) Computers and synthetic systems in general are ONLY going to get better at doing anything a human can do.

Hmm. Computer lovin. Now that idea makes my floppy drive become my hard drive.

Suicide Note (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#26583425)

I wish I was FUCKING DEAD!

Re:Suicide Note (0)

Anonymous Coward | more than 5 years ago | (#26583751)

I wish I was FUCKING DEAD!

Necrophile?

How to get around CAPTCHA for Porn? (4, Insightful)

corsec67 (627446) | more than 5 years ago | (#26583433)

Even if they had a perfect system that could tell a person from a computer, how can they prevent a CAPTCHA for porn system?

(You make a website offering porn for entering the solution to a CAPTCHA from a 2nd site, and then use that solution on that 2nd site)

Re:How to get around CAPTCHA for Porn? (1, Interesting)

Anonymous Coward | more than 5 years ago | (#26583477)

Very true, though you can turn that around. That is, create a 3rd site where users are rewarded with porn for categorizing a posting as spam or legit. If it's the former, it is deleted from your forum.

Re:How to get around CAPTCHA for Porn? (3, Insightful)

Dwedit (232252) | more than 5 years ago | (#26583605)

Captchas have right or wrong answers, which can be immediately verified.
Spam or not spam can not. Some imbeciles can just make random selections without caring. Even if you give posts to multiple people to see if they agree, you can get enough imbeciles to ruin the system.

Re:How to get around CAPTCHA for Porn? (2, Funny)

sexconker (1179573) | more than 5 years ago | (#26583961)

But you have to add captchas to your 3rd site to make sure a 4th site isn't spamming your (3rd) site with fake spam/legit answers in an effort to steal your porn (to make their own porn-fueled, captcha-solving farm).

Re:How to get around CAPTCHA for Porn? (4, Funny)

kohaku (797652) | more than 5 years ago | (#26584349)

It's porn all the way down.

Re:How to get around CAPTCHA for Porn? (0)

Anonymous Coward | more than 5 years ago | (#26583495)

Link, please.

Re:How to get around CAPTCHA for Porn? (1)

EGenius007 (1125395) | more than 5 years ago | (#26584091)

CAPTCHA for porn? That's way too much work for porn.

Things I'd be willing to clear CAPTCHA's for:
  • cash
  • caffeine
  • pizza
  • (good) sex

Re:How to get around CAPTCHA for Porn? (0)

Anonymous Coward | more than 5 years ago | (#26584415)

With porn without captchas.

Re:How to get around CAPTCHA for Porn? (0)

Anonymous Coward | more than 5 years ago | (#26585085)

Why can't the original site (assuming it's high enough value to be attacked in this manner) put a time limit on how long CAPTCHAs are valid?

That way, unless the porn site's traffic is close enough to or larger than yours, you can significantly reduce the probability of the porn site being able to utilize that CAPTCHA. If their traffic is significant enough, then they'd probably make more money off of advertising - additionally, you've increased their maintenance costs.

Additionally, embed your site address within the CAPTCHA as a watermark, and you potentially reduce further the probability that someone gives the porn site the CAPTCHA value (or at least think twice and perhaps consider it some kind of hacking attempt).

No, I'm not suggesting any of these solves the problem. But it makes it more expensive for the spammers and requires them to keep improving their algorithms. At the end of the day, this is an escalation tactic. In any case, practical AI research should benefit from this escalation anyways, so in a perverted way, spammers are actually performing a public service. Uggh - I feel dirty.

Logical next step (2, Funny)

sakdoctor (1087155) | more than 5 years ago | (#26583445)

Instead of one little captcha at the end of a web form, the whole site will be a captcha.
All the form labels will be jumbled images, and there will be 9 form submit buttons, 8 with dogs and 1 with a cat.
All textual content can be a mangled image to stop scrapers as a bonus.

Oh and please don't actually build this.

Re:Logical next step (1)

PB8 (84009) | more than 5 years ago | (#26583581)

How about match a sound to a graphic?
'Moo' says the Pootie?
Eweza Bot! Banned be Ur IP addie 4eva!

Re:Logical next step (1, Interesting)

jd (1658) | more than 5 years ago | (#26583859)

Why jumble the images? Computer monitors function as 75-100 refreshes a second, or more. The human eye will superimpose two images that are 1/12.5 seconds apart, which is why PAL televisions using interlace can trick the eye into seeing a single fluidly-moving picture when playing at 25 frames per second (and thus 12.5 updates on a given line per second).

You should be able to use this to create an animated page, in which you scatter pixels through time, such that persistence of vision tricks the eye into seeing the actual page when an analysis of a single frame would show only random dots.

What you'd end up with is something that a screen scraper or image capture program could never process, but the human brain (because you're exploiting its limitations) can.

Re:Logical next step (2, Informative)

sexconker (1179573) | more than 5 years ago | (#26583981)

Image capture program will just capture multiple frames and combine them, just like your eye (basically, effectively does).

Also, PAL is 50 fields per second, 25 frames per second. Not 25 fields and 12.5 frames.

Nope, that won't work either. (3, Insightful)

IdahoEv (195056) | more than 5 years ago | (#26584487)

Give me the frames of such an animation and I can trivially write a program that simulates persistence of vision by smearing the pixels over time, thus making it solvable by a computer.

In the long run, CAPTCHAs are doomed.

Re:Logical next step (1)

laddiebuck (868690) | more than 5 years ago | (#26585343)

It would take the attackers all of five minutes to recognise this and simply fetch two images (or the whole set) and superimpose them. It's a neat trick but nothing more.

Perhaps it is PA (0, Offtopic)

Rinisari (521266) | more than 5 years ago | (#26583501)

Let me tell you a little secret about the water here in Pittsburgh...

Please decode the text in the image below to continue reading this comment.

5t33L3r5 t4k3 C4rd1n4l5 1713

Re:Perhaps it is PA (0, Redundant)

CannonballHead (842625) | more than 5 years ago | (#26583583)

Steelers take Cardinals 17 (to) 13?

Worded questions? (2, Insightful)

DavidR1991 (1047748) | more than 5 years ago | (#26583515)

I thought the ideal captcha would be worded questions presented in the same image-like format as current captchas, e.g. "Two and Two makes?" or "The opposite of day is..?" Whilst the image recognition is now feasible, making a general system to solve this problem would be somewhat more difficult than just improved single-word captchas.

Annoyingly, however, the system to create such captchas cannot really be automated (in terms of creating the questions). So I suppose as long as the captchas are computer created / can be made automatically, they will also be computer crackable/solvable

Re:Worded questions? (0)

Anonymous Coward | more than 5 years ago | (#26584523)

Like the Quantum Random Bit service captcha?

Re:Worded questions? (0)

Anonymous Coward | more than 5 years ago | (#26584765)

except then you can use some extra logic to solve that you wouldn't have because it reduces your code space. the spaces in the question delineate words, you can then use what you know to make sense of the rest, plus the questions have to make sense.

Re:Worded questions? (1)

SanityInAnarchy (655584) | more than 5 years ago | (#26584833)

I thought the ideal captcha would be worded questions presented in the same image-like format as current captchas, e.g. "Two and Two makes?" or "The opposite of day is..?"

That actually looks relatively easy to solve.

No, you couldn't necessarily make a general, out-of-the-box solution. However, if each one is unique, built by a human, then it's simply a dictionary. If it's not a finite number, then you're going to have patterns, and it could just refresh until it gets "[numberword] and [numberword] makes?", then do the calculation.

CAPTCHA... GOTCHA (-1, Offtopic)

TheRealMindChild (743925) | more than 5 years ago | (#26583561)

Speaking of CAPTCHA's, does anyone remember GOTCHA guns? I recently brought it up to my wife, then my coworkers... no one remembers them.

I don't get it (0)

Anonymous Coward | more than 5 years ago | (#26583573)

As the summary notes, reCAPTCHA uses text that has already failed a text-recognition process and helps digitize books. Why go to the effort of creating a custom CAPTCHA when there's already one that's not broken *and* does something useful?

Build a database of inputs and outputs (3, Interesting)

KPexEA (1030982) | more than 5 years ago | (#26583595)

Any CAPTCHA system can easily be cracked by building a large database with the inputs and outputs that was actually solved by humans and then saved into the database for lookup later. The inputs don't need to be text, they can contain images ( or hash codes representing images ), or css or whatever is needed to define the input data. The only feasable way to stop this kind of caching of answers is to have no duplicate tests. For example, a large field of randomly colored circles that all vary in size and position and move slowly around, then tell the user to hover the mouse over the largest blue circle and then next have them move the mouse over the green triangle, etc. Then base their "pass or fail" on how well they could move the mouse fast enough. And change the test often, like, put the mouse over the shape that looks like a bunny etc.

Re:Build a database of inputs and outputs (1)

localman (111171) | more than 5 years ago | (#26583947)

It's worse than that: any captcha system can be cracked by humans. You can either pay lots of low wage workers or offer some reward (porn) for cracking captchas. I came up with a whole bunch of captcha-tech ideas that would require hard AI... and then realized it's a dead end tech anyway. There are plenty of people in the world willing to crack captchas for next to nothing. There's no way to tell a real user from a person who is just trying to abuse the system.

Something like recaptcha will stop lazy attempts. Nothing will stop serious attempts.

Cheers.

Re:Build a database of inputs and outputs (1)

mysidia (191772) | more than 5 years ago | (#26583971)

How about, you do the following:

Instead of one captcha, you do it twice.

The first captcha is a "front door".

After you answer the first captcha successfully, you are presented with a second captcha.

The second captcha depends on the correct answer to the first captcha.

After you answer the first captcha, you have a time limit for providing your answer to the second one.

In any case, you do not learn if the answer was correct or not until attempting to submit the second captcha.

5 or 6 case-insensitive alphanumeric characters can be used with various obfuscation techniques to avoid detection of symbols.

The Captcha display application should also be flash, silverlight, or java-based, so the end user doesn't have direct access to the image file, or to any CSS coding; a proprietary protocol can be used with various obfuscation techniques and random change of the application every visit.

Just because something's finite, doesn't mean it's feasible for a machine to automatically crack it.

Re:Build a database of inputs and outputs (1)

Harik (4023) | more than 5 years ago | (#26585147)

... So what you're saying is that I now HAVE to have flash to do a captcha, plus perfect eyesight, and fast reflexes to enter it before the timeout, and you're using DRM (known broken from the getgo) to try to make it difficult to spoof - except EVERYONE forgets the enemy of CAPCHA isn't better AI - it's third world labor.

CAPCHA is dead. Unfortunately, like most annoying internet fads we're going to see lots more of it until it finally starts going away.

Re:Build a database of inputs and outputs (1)

Spy Hunter (317220) | more than 5 years ago | (#26584361)

Technically all existing image CAPTCHA systems I know of fail the "CA" (completely automated) part; that is, they require humans to first classify a set of input images, and then only those images can be used in the test. What's needed is a way for computers to generate new images for the test on the fly.

Luckily modern video cards are designed for exactly this. Why not have a database of labeled 3D models instead of labeled images. For the test, present an image of the model rendered from an arbitrary perspective, with an arbitrary color scheme, on a colorful background. The test image can be completely different every time, even with a small number of 3D models. To break this CAPTCHA would require solving hard computer vision problems for which no out-of-the-box software exists.

Re:Build a database of inputs and outputs (1)

Dhalka226 (559740) | more than 5 years ago | (#26584365)

Then base their "pass or fail" on how well they could move the mouse fast enough.

So if I open things in tabs and come back when I'm finished reading whatever I was reading, I'm guaranteed to fail the first CAPTCHA? Seems like a pretty good way to annoy visitors into leaving.

Re:Build a database of inputs and outputs (1)

SanityInAnarchy (655584) | more than 5 years ago | (#26584873)

Any CAPTCHA system can easily be cracked by building a large database with the inputs and outputs that was actually solved by humans and then saved into the database for lookup later....The only feasable way to stop this kind of caching of answers is to have no duplicate tests.

And that's true of most CAPTCHAs today.

For example, a large field of randomly colored circles that all vary in size and position and move slowly around, then tell the user to hover the mouse over the largest blue circle and then next have them move the mouse over the green triangle, etc.

We're already at a limit of annoyance for users. And, if you've been following robotics at all, following a differently-colored circle around is not difficult.

And either way, you still have the problem of humans solving it -- the common "porn" example being one solution, I would point to Amazon's Mechanical Turk as another.

Animation/video (1)

pondermaster (1445839) | more than 5 years ago | (#26583597)

Have the text/image animated, each frame by itself doesn't contain all the information needed to decipher the text/image.
Interlaced CAPTCHA's is the thing!

Re:Animation/video (1)

KPexEA (1030982) | more than 5 years ago | (#26583637)

Step 1) Have a human crack it ( in exchange for viewing pr0n etc.)
Step 2) Build a hash-code for the image or images
Step 3) Save answer and hash-code into a database

Re:Animation/video (1)

SanityInAnarchy (655584) | more than 5 years ago | (#26584885)

If it's only interlaced, deinterlacing algorithms are easy to come by -- mplayer has four or five of them.

All this does is require more CPU, it won't significantly reduce accuracy of cracking. And remember, you can get armies of Windows zombies to do this for you.

Pay captcha creators :) (1)

CannonballHead (842625) | more than 5 years ago | (#26583643)

So how about a system of paying captcha-creators $2/1000 captchas created? ;)

On a serious note, though, it seems that general knowledge is a better way to do it than simple word recognition...

Or, on the more imaginative side, what about classical music recognition. I don't know how good computers are at analyzing not just "Beethoven's 5th" but analyzing it amidst numerous recordings which all would have very significantly different waveforms. Unfortunately, music is neither universal (it'd have t obe country specific I suppose) nor quite as close to infinite in possibilities as word or image based captchas...

Re:Pay captcha creators :) (1)

brusk (135896) | more than 5 years ago | (#26583797)

Actually music recognition seems like a task computers would be much better at than humans (rather, a program designed for just that task would be better at it than a random, off-the street human).

Re:Pay captcha creators :) (1)

CannonballHead (842625) | more than 5 years ago | (#26583881)

Wouldn't it have to do some pretty fancy waveform analyzing though, or a database of all the waves? There are a ton of different recordings of this or that well-known music piece.

Maybe recognition isn't based on the waveform.. I'm not sure what else it'd be though.

Re:Pay captcha creators :) (2, Insightful)

brusk (135896) | more than 5 years ago | (#26584355)

Presumably the universe of tunes every internet user could be expected to know is quite small, so it would only be a matter of matching to that set. There's already an iPhone app (Shazam, I think it's called) that can identify ambient music and send you to the iTunes purchase link. That's presumably a much harder problem (a vastly bigger universe and probably poorer sound quality), and it's already been solved.

Re:Pay captcha creators :) (1)

SanityInAnarchy (655584) | more than 5 years ago | (#26584939)

Wouldn't it have to do some pretty fancy waveform analyzing though, or a database of all the waves?

I can't remember the name of it now, but I have seen software which can analyze a recording and split out individual instruments and notes. They had an example of taking a live recording, splitting it out, and changing the pitch of one note played by one instrument to correct it. Doesn't sound techno-ish, because it's a real recording, just slightly altered...

Anyway, such waveform analysis exists.

There are a ton of different recordings of this or that well-known music piece.

And I'm guessing you can get a score of all of it somewhere.

And you're getting really, really bad as far as legitimate user accessibility. You're going to require some sort of multimedia playback (probably Flash), versus a simple image and/or some javascript. And how many random people off the street could even recognize Beethoven's 5th?

I'm embarrassed to admit it, but while I would probably recognize that I had heard it before, and that it was good classical music, I probably would not even know it was Beethoven, let alone which symphony.

And I can tell you right away, that if you're going to require that, I very likely won't be back to your website, even if I did know it. It's getting too annoying.

Cylon Detector (3, Funny)

fathom108 (706747) | more than 5 years ago | (#26583695)

Will this detect Cylons?

Suck it, Vernor & Kurzweil (3, Insightful)

Anonymous Coward | more than 5 years ago | (#26583707)

No one could ever predict that it would be spammers and porn merchants who would solve the hardest problems in AI.

maybe we could use pictures instead (1)

rev_sanchez (691443) | more than 5 years ago | (#26583737)

We could use national celebrities or historic figures instead of text CAPTCHAs. Say you wanted to make a new gmail account and your IP looks like it comes from the US, Google could make you identify either Coolio, Benjamin Franklin, or Evel Knievel before you proceed.

Re:maybe we could use pictures instead (1)

gapagos (1264716) | more than 5 years ago | (#26584631)

Say you wanted to make a new gmail account and your IP looks like it comes from the US, Google could make you identify either Coolio, Benjamin Franklin, or Evel Knievel before you proceed

I'm not from the U.S, but Canada, which is close enough.
Of those 3 names that you listed, I only ever heard of Benjamin Franklin (some electricity discoverer), and I don't know what he looks like.

Such a system would be -extremely- ethnocentric and terribly annoying for me.

Re:maybe we could use pictures instead (1)

SanityInAnarchy (655584) | more than 5 years ago | (#26584949)

I know about Ben Franklin. I've heard of Evil Knievel, but I don't know what he looks like.

Even if all that was settled, what are the chances you're going to find enough pictures of each that people would recognize, and computers wouldn't?

Stop Comment Spam By Analysing the Actual Content (2, Insightful)

jwieland (81762) | more than 5 years ago | (#26583801)

Enough with the annoying captcha's stop comment spam by just analyzing the content.

Free and works well:
http://defensio.com/

I really hate (4, Interesting)

BetterSense (1398915) | more than 5 years ago | (#26583823)

I really hate image-based CAPTCHAS, because they discriminate against lynx users. I seriously remember at least one occasion where I was using lynx for whatever obscure reason, and I came upon "enter the text shown in the box at the left". Fail. I like the math problem ones better.

Re:I really hate (1)

Shadow-isoHunt (1014539) | more than 5 years ago | (#26584301)

Try using links2. It'll give you graphical w/o requiring X.

Don't make them harder, make them different. (1)

neokushan (932374) | more than 5 years ago | (#26583891)

Ok, I will happily admit that I know bugger all about cracking CAPTCHAs, but one thing I have noticed is that most sites use their own version of a CAPTCHA, probably to make it harder to crack.
This must mean that sites are specifically targeted by the crackers, specific routines are probably made to maximise the chances of a successful "crack" against that site. So rather than just making them harder and more obscure (Thus making them harder for humans to read), why not just vary them by a great deal?
If an algorithm has a 50% chance at cracking any given CAPTCHA (And 50% is pretty good, as far as I know it's more like 5, 10 or 15% for a "good" crack), but you have 10 variations of CAPTCHAS to crack, then that routine drops from 50% to 5%. A 5% crack only works on 5% out of every 10, so 0.5%. Just by being different, not harder.
And by different, I don't just mean using different colours and symbols, I mean being completely different, but still ultimately simple. Some may be "please input the 5 characters below", others may be "click on the kitty", another one might be "pick the blue pill", it doesn't have to be complicated, just varied. Better yet, vary the possible algorithms that you can use in any given period, rotate them say every 15 or 20mins, making life much harder for them to detect which particular algorithms are in use at any given time (so for example, have about 20 or 30 algorithms, but only use 10 at any given point, then randomly pick 10 new ones after so long).
Then again, maybe I'm talking out of my rear end, but it makes sense to me. Perhaps someone with more foresight could tell me why that wouldn't work?

COLORblind? How about BLIND blind? (5, Interesting)

Ungrounded Lightning (62228) | more than 5 years ago | (#26583893)

The idea is that humans are better at image recognition that computers, but humans can legitimately disagree on their interpretations and some humans are color blind.

COLOR blind? Some humans are BLIND blind. Others have various vision or vision processing impairments that would make meatware-visual-coprocessor-test CAPTCHAs reject them.

IMHO most CAPTCHAs are already and obviously violating of the Americans with Disabilities Act. So now, in the info-war between weapons and armor (which weapons always win anyhow), even more of us less-than-Aryan-Supermen become collateral damage.

Dogs are (allegedly) color blind and "... on the Internet nobody can tell you're a dog!". Well, maybe PEOPLE can't. But now the web applications can. B-(

The solution to being attacked by better weapons is not better armor. That's only a stopgap. The solution is to hunt down those who misuse weapons and make them incapable of or unwilling to continue.

Re:COLORblind? How about BLIND blind? (1)

wagnerrp (1305589) | more than 5 years ago | (#26584347)

I have seen a number of CAPTCHAs that include a link to a wave file containing the word. If you're blind, you download the sound bit and listen instead.

Re:COLORblind? How about BLIND blind? (1)

KingAlanI (1270538) | more than 5 years ago | (#26584721)

There are some people that are both blind and deaf [gratuitous meme], you insensitive clod.[/meme]

Re:COLORblind? How about BLIND blind? (1)

Skapare (16644) | more than 5 years ago | (#26584641)

The solution to being attacked by better weapons is not better armor. That's only a stopgap. The solution is to hunt down those who misuse weapons and make them incapable of or unwilling to continue.

But, Obama said we were not going to use torture, anymore.

deaf + blind (1)

KingAlanI (1270538) | more than 5 years ago | (#26584829)

(see http://it.slashdot.org/comments.pl?sid=1102967&cid=26584721 [slashdot.org] )

in all seriousness, being deaf and blind is a small enough corner case overall, even if deafness and blindness aren't always caused independently of one another.

specific statistics are evidently not available in the relevant WP articles. Trying a general Google search:

http://gri.gallaudet.edu/Demographics/deaf-US.php [gallaudet.edu] Deafness @ 0.1% to 0.2%-0.4%

http://www.cde.state.co.us/cdesped/SD-Deafblind.asp [state.co.us]
Lits deafblindees as 0.003% at birth

Re:COLORblind? How about BLIND blind? (1)

Earthquake Retrofit (1372207) | more than 5 years ago | (#26585335)

Some humans are BLIND blind. Others have various vision or vision processing impairments that would make meatware-visual-coprocessor-test CAPTCHAs reject them.

IMHO most CAPTCHAs are already and obviously violating of the Americans with Disabilities Act.

If a vision impaired person wants to sign up and explains in an email why he or she cannot solve image based CAPTCHAs, any sysop would surely grant access. If not, that might be an ADA violation. Now if he got thousands of such requests every day...

I like how reCAPTCHA is the recommendation... (2, Interesting)

Stile 65 (722451) | more than 5 years ago | (#26583915)

...even though CraigsList uses reCAPTCHA and the article talks about a utility that helps spammers automatically post on CL.

Besides, it's fairly easy to set up a Mechanical Turk HIT for users to solve CAPTCHAs for a penny a piece. Assuming you make more than a penny per captcha solved, you're set. If not, make someone successfully solve more than one CAPTCHA per HIT submission.

Re:I like how reCAPTCHA is the recommendation... (1)

ducomputergeek (595742) | more than 5 years ago | (#26584545)

We just started using reCAPTCHA on our submit forms for non-logged in users and on the registration page after finally getting some korean or japanese spam. It was extremely easy to integrate, I think it took about 10 minutes from signup until it was in the code and worked. After a couple days on the development machine for testing, it was in production and no more false submissions.

It may not be perfect, but it was easy to integrate and simple to use.

Report the spammers (0)

Anonymous Coward | more than 5 years ago | (#26583999)

and have their sites taken down. As long as (hosting providers are allowed to harbour spammers (yes, USA, I look at you), and nobody gives a big F visitors and site owners pay the price.

Filtering DOES NOT work. Did it stop email spam? No, see: spam year [spamcop.net] . What did? Kicking McColo off the Internet. And McColo is not alone in providing services to spammers (Netvision.net.il I look at you).

OCR (1)

Strange Ranger (454494) | more than 5 years ago | (#26584095)

Ok so I read the article...
The article focuses on OCR as the main problem. CAPTCHA can be broken by OCR, so reCAPTCHA uses text that OCR has already had trouble reading. Ok got it.

So why are they stuck on ASCII characters? Why not use obfuscated animal pictures? "Type one word that best describes the picture above." Answer: Zebra (Moose, Dog, whatever)
Why do they keep putting the right answer in the CAPTCHA? How about obfuscating "__ cups in a pint?" or "A Bakers Dozen is __".
I'm no CMU whiz, but it seems to me that if the problem is OCR then stop putting the correct answer in ASCII characters right in the CAPTCHA.

It's not necessary to make them impossible to crack, it's only necessary to make it too economically infeasible for spammers to bother.

Re:OCR (1)

kohaku (797652) | more than 5 years ago | (#26584385)

The trouble with pictures is that the algorithm generating the captcha has to also come up with the question, and if it can figure out which animal is in a picture, then it's completely ineffective :). You can't just stick a list of pictures and responses in a list, because that makes the pool too small, and brute-forceable.

Re:OCR (2, Interesting)

Strange Ranger (454494) | more than 5 years ago | (#26585113)

I was thinking brute force isn't feasible when every failure generates a new question.
But let me take another stab at it.

What if the question wasn't always "what is in the picture?"
Given a database of 1000 basic images like animals, shapes, fruits, and vegetables matched to the word for what each one is and it's catagory (animal, fruit, etc).. Now the CAPTCHA shows 6 of them in 6 little squares. (~985 quadrillion combinations) It can ask a nearly endless list of questions using simple formulae:

What is the third image?
How many animals are shown? Spell the number.
Type the first 2 letters of each fruit.
Type the shape names using no spaces.



Instead of always asking "what are the 5 digits" now we're asking for an almost arbitrary number of digits. And there are 6 picture images that have to be ID'd.

Did I beat the OCR problem w/o introducing any fatal new ones?

Fuck no. (1)

ForrestFire439 (1458475) | more than 5 years ago | (#26584103)

Jesus Christ. If they make CAPTCHA's any more difficult I'm going to be effectively banned from the internet. I'm sure I'm not the only one.

How will this help? (1)

phonicsmonkey (984955) | more than 5 years ago | (#26584217)

Services like DeCaptcher use cheap human labor to solve CAPTCHAs. From their site:

DeCaptcher CAPTCHA solving is processed by humans. So the accuracy is way more better than an automated capctha solver ones.

How will a different format solve anything?

Re:How will this help? (1)

timmarhy (659436) | more than 5 years ago | (#26584571)

you can tell it's run by well to do individuals who use phrases like "more better"

No workarounds? Really? (1)

v(*_*)vvvv (233078) | more than 5 years ago | (#26584221)

Captchas aside, aren't there other ways of preventing bots from registering multiple accounts? Instead of focusing on humans, how about focusing on the behavior of the bots. Do they change their IP address every time? Do they fill forms faster than humanly possible? Does any human register more than one account on your site? Do they enter random text or put in URLs where they shouldn't?

I still do not see any attempts to weed out the bots.

Re:No workarounds? Really? (1)

Solra Bizna (716281) | more than 5 years ago | (#26584749)

Do they fill forms faster than humanly possible?

I type between 100 and 180 words per minute. Not only am I faster than some programmers might think is "humanly possible," but it's trivial to bypass protection like that.

msleep(200 * number_of_characters_typed); // Now, we are a moderately fast (60 WPM) typist instead of a bot

-:sigma.SB

Re:No workarounds? Really? (1)

MP3Chuck (652277) | more than 5 years ago | (#26585151)

"Do they enter random text or put in URLs where they shouldn't?"

A (somewhat) common thing to do is have a form field hidden with CSS. Spam bots rarely, if ever, parse CSS ... so you hide a "Website" or "ICQ" form field (who uses ICQ anymore, anyway?) and if it's filled in you ignore the submission entirely.

Or, you have a form field labeled "Leave this field blank." Spam bots will usually fill in all available fields so, again, if it's got a value you just ignore it.

Obligatory XKCD (1, Funny)

DeadPixels (1391907) | more than 5 years ago | (#26584239)

http://xkcd.com/233/ [xkcd.com] The real question is: What can humans do that computers cannot? The only problem with "which of these images is George W Bush?"-type tests is that spammers could easily use a database and just compare an image against a photo database. Granted, it wouldn't be as easy as regular CAPTCHAs, but it's still easy enough to crack.

gmail captcha (1)

v1 (525388) | more than 5 years ago | (#26584351)

hate it. hate it hate it hate it.

I have to set up gmail accounts periodically for users here and it takes me some fighting every time to make the account. The "wheelchair" icon makes it read it to you, and the idea of course is in case you are having problems with the picture you can listen to it. But it's like trying to make out what your friend is saying to you from the other end of a dance floor. I have yet to figure out what they're saying by the recording.

And if you miss the captcha too many times, it stops letting your IP address try for awhile. Woooonderful.

Irony (1)

GoblinSoul (1456863) | more than 5 years ago | (#26584429)

The ReCAPTCHA website for cracking CAPTCHA's has a CAPTCHA to register for their service.

Re:Irony (1)

pelrun (25021) | more than 5 years ago | (#26585329)

That's not irony, that's eating your own dogfood.

Just a thought... (1)

Hobadee (787558) | more than 5 years ago | (#26584499)

So heres the issue: Computers are getting to the point where they can solve CAPTCHAs better than humans, so why don't we flip the tables? Why not build a CAPTCHA that takes human weaknesses into account? For example, use optical illusions and ask the human what it _appears_ to be doing, not what it actually is doing. A computer would perfectly interpret the illusion and output what it is doing, whereas the human would look at it, be fooled, and say what it appears to be doing.

Audio CAPTCHA in ENGLISH (1)

DeadboltX (751907) | more than 5 years ago | (#26584543)

How about an audio clip where the user has to identify the nth word of a sentence, or get even more complicated and have the user identify an adverb or something. Not as universal as number or letter sequences, but it could work for web pages that serve a specific language demographic.

Re:Audio CAPTCHA in ENGLISH (0)

Anonymous Coward | more than 5 years ago | (#26585175)

Users are too stupid to know the answer to that. When you work tech support for a while, you begin to realize that many users are impossibly stupid.

Never EVER count on a user to figure something out. They won't.

The Summary Contradicts Itself (1)

cortesoft (1150075) | more than 5 years ago | (#26584617)

The summary mentions a service at decaptcher.com where you can pay $2 per 1000 CAPTCHA's solved. If you visit the site, they make it quite clear that the solving is being done by humans. The technology of the CAPTCHA has not been 'cracked' by this site; the concept of a CAPTCHA itself was proven ineffective. There is no 'more difficult for a computer to figure out' technology that can solve this problem... anything that a legitimate user is able to solve will be able to be solved by the people working at decaptcher... the only thing you might accomplish is making it harder for the people who work there to solve the puzzle, but anything that works in that method will also make it more difficult for an end user. The whole discussion is moot after this.

For most sites, an extreme CAPTCHA isn't necessary (1)

NevarMore (248971) | more than 5 years ago | (#26585155)

I can't find the post where it was discussed but codinghorror.com has one CAPTCHA, or a very all set of them and it seems to work.

I just read the blog so I have no idea how heavily the site gets hit, or how much cleanup the author does, but with that one never changing CAPTCHA there isn't any comment spam.

So CAPTCHAs are another example of a classic security trade off, just needs to be enough to get the malicious entities to go somewhere else.

Should be discussed in one of these articles: http://www.google.com/search?hl=en&q=captcha+site%3Acodinghorror.com&btnG=Google+Search&aq=f&oq= [google.com]

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?