Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Why the CAPTCHA Approach Is Doomed

timothy posted more than 5 years ago | from the how-do-you-feel-about-are-you-a-human dept.

Spam 522

TechnoBabble Pro writes "The CAPTCHA idea sounds simple: prevent bots from massively abusing a website (e.g. to get many email or social network accounts, and send spam), by giving users a test which is easy for humans, but impossible for computers. Is there really such a thing as a well-balanced CAPTCHA, easy on human eyes, but tough on bots? TechnoBabble Pro has a piece on 3 CAPTCHA gotchas which show why any puzzle which isn't a nuisance to legitimate users, won't be much hindrance to abusers, either. It looks like we need a different approach to stop the bots."

Sorry! There are no comments related to the filter you selected.

8==C=A=P=T=C=H=A==D (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27508033)

8==C=O=C=K==S=L=A=P==D

Re:8==C=A=P=T=C=H=A==D (5, Interesting)

RemoWilliams84 (1348761) | more than 5 years ago | (#27508187)

This troll actually gave me an idea. Why not ascii art?

Give an ascii art picture and asc the user to tell what it is.

In this case cock would let you through.

Re:8==C=A=P=T=C=H=A==D (4, Insightful)

0100010001010011 (652467) | more than 5 years ago | (#27508257)

Because an open ended question would get a million different responses.

And having the user select a radio button would narrow the probability down to 1/X choices. And when you have a million bots, 1/x is more than enough to get your spam out.

Re:8==C=A=P=T=C=H=A==D (0)

Anonymous Coward | more than 5 years ago | (#27508453)

Would it really be that hard to have a picture of a rabbit and set it to accept bunny or rabit or even hare?

Their can't be that many possible alternatives to call a single object that a user couldn't get one in three different tries.

Re:8==C=A=P=T=C=H=A==D (1)

digitalunity (19107) | more than 5 years ago | (#27508725)

If pattern recognition CAPTCHA's don't work, the next obvious step is logic puzzles with type in answers.

Other than that, TPM based browser plugins verifying web submittals are coming from physical human interface devices are all I can think of.

Re:8==C=A=P=T=C=H=A==D (3, Informative)

clone53421 (1310749) | more than 5 years ago | (#27508363)

Already been done [thephppro.com] .

Re:8==C=A=P=T=C=H=A==D (1)

whyloginwhysubscribe (993688) | more than 5 years ago | (#27508519)

That isn't ascii art - it is a figlet (http://en.wikipedia.org/wiki/FIGlet), which I would guess is much easier even than the image based word captchas

Re:8==C=A=P=T=C=H=A==D (1)

clone53421 (1310749) | more than 5 years ago | (#27508621)

FIGlets are still ASCII art.

text banners, in a variety of typefaces, comprised of letters made up of conglomerations of smaller ASCII characters (see ASCII art).

Re:8==C=A=P=T=C=H=A==D (1)

Landak (798221) | more than 5 years ago | (#27508577)

Ahh, good 'ol ascii art. I have fond memories of compiling the original UT on my old gentoo box and playing it with some obscure compile option (or perhaps library -- any answers more than welcome!) that rendered all the scenes in good 'ol "Base 64".

It's amazingly fun, and arguably looks better now than the old UT graphics do...

Re:8==C=A=P=T=C=H=A==D (3, Insightful)

VeNoM0619 (1058216) | more than 5 years ago | (#27508745)

Still won't defeat the army of underpaid workers to do it.

So what next? (2, Insightful)

Midnight Thunder (17205) | more than 5 years ago | (#27508035)

So if the CAPTCHA is doomed, what is the next approach? Letting spam bots go rampant over a site is not an acceptable alternative.

Re:So what next? (3, Insightful)

Anonymous Coward | more than 5 years ago | (#27508121)

R'ing TFA would be a start :P (he has solutions at the bottom)

Re:So what next? (0)

Anonymous Coward | more than 5 years ago | (#27508189)

TFA is blocked by my workplace you insensitive clod!

Re:So what next? (4, Funny)

Hojima (1228978) | more than 5 years ago | (#27508231)

So if the CAPTCHA is doomed, what is the next approach?

Torture

Re:So what next? (2, Funny)

Cynonamous Anoward (994767) | more than 5 years ago | (#27508721)

Interesting idea, actually...Humans will respond to torture, bots will not....

the trick is how to measure human suffering?

Re:So what next? (4, Interesting)

Trepidity (597) | more than 5 years ago | (#27508279)

Spam-filters analogous to those applied to email seem to be increasingly used as plugins to various blog engines.

Re:So what next? (2, Insightful)

ion++ (134665) | more than 5 years ago | (#27508293)

So if the CAPTCHA is doomed, what is the next approach? Letting spam bots go rampant over a site is not an acceptable alternative.

The next thing to do is to close the services that needs (CAPTCHA) spam projection. This means no more free email. Get used to paying.

Re:So what next? (1)

joshtheitguy (1205998) | more than 5 years ago | (#27508365)

So if the CAPTCHA is doomed, what is the next approach? Letting spam bots go rampant over a site is not an acceptable alternative.

Kitten Auth [thepcspy.com]

Re:So what next? (5, Interesting)

Ralph Spoilsport (673134) | more than 5 years ago | (#27508421)

Making people pay for posts. Making people pay for email. That will stop spam dead in its tracks.

Now, I didn't say you'd LIKE what 's next...

RS

Re:So what next? (1)

arth1 (260657) | more than 5 years ago | (#27508567)

There are other alternatives, like better blocking at the client side.
For this to be more feasible, blogs and e-mail sites need to come up with published and preferably common standards for their output. Which would be another win for the consumer.

Re:So what next? (1)

geekoid (135745) | more than 5 years ago | (#27508699)

I would rather have spam.

Re:So what next? (5, Funny)

Mordok-DestroyerOfWo (1000167) | more than 5 years ago | (#27508455)

Maybe a different type of system? Show a series of animals and ask which one is a pet. Show a series of letters and ask which one is the vowel. A series of types of food and ask which one would go best with Natalie Portman. Show an action shot and a series of similar actions, ask which one would occur in Soviet Russia.

Re:So what next? (1)

oldspewey (1303305) | more than 5 years ago | (#27508693)

Many of the examples you give are not culturally neutral. One person's pet is another person's tasty treat. Ditto for Natalie Portman.

Re:So what next? (1)

jonbryce (703250) | more than 5 years ago | (#27508755)

The animal one won't internationalise very well. For example, a cow is a pet in India and food in most other parts of the world. A dog is food in China, and a pet in most other parts of the world.

Re:So what next? (1)

arth1 (260657) | more than 5 years ago | (#27508457)

I'd rather see a hundred spams getting through than one legitimate user being blocked.

Re:So what next? (1)

Dare nMc (468959) | more than 5 years ago | (#27508499)

The end of free speech on the web? (IE single/shared logins across the web.) maybe require excellent Karma on slashdot before you can get a digg/youtube/reddit/myspace/craigslist login.

Re:So what next? (0)

Anonymous Coward | more than 5 years ago | (#27508515)

correct identification of galaxy class?
https://www.galaxyzoo.org/

Re:So what next? (0)

Anonymous Coward | more than 5 years ago | (#27508559)

Looking for cheap Captchas? We deliver discreetly and directly yo our house. Many times praise from customers that think our Captchas are the best.

Re:So what next? (1)

geekoid (135745) | more than 5 years ago | (#27508673)

Can't be worse for most forums.

My solution is simple & elegant: (0)

Anonymous Coward | more than 5 years ago | (#27508053)

I have suggested a solution more times than I care to count: impose default caps on sent emails per account, IP, whatever, until the sender has been established as a legit sender of mass mails. That would eliminate spambots running on "regular" people's computers, for example.

I have been blocked from several services because of my IP (DHCP assigned, NATted) fell in a range assigned to an ISP that had too many spambots or portscanners running in its network or somesuch. If this happens to enough people, they'll either leave the ISP or pressure it to clean up its act (other ISPs could play a role).

That system would naturally be susceptible for abuse, but then would any other system. Ultimately you will have to come to a solution, that removes the profit from spamming, for example. Your fourth suggestion would go a long way towards that. I'm sure that many people would be willing to place a deposit to cover a reasonable amount of messages. If I ever send a mass mail, it always goes to a listserv, which does the processing - and everybody on the list has subscribed to it. If I abuse the list, they complain, and I get blocked from it.

There is always a catch in all these, but until we're willing to be educated and act civilized... besides, as someone said, "freedom is messy".

-Dan East

Re:My solution is simple & elegant: (1, Insightful)

oldspewey (1303305) | more than 5 years ago | (#27508183)

impose default caps on sent emails per account, IP, whatever, until the sender has been established as a legit sender of mass mails.

What does this have to do with the subject of website captchas?

Re:My solution is simple & elegant: (4, Informative)

Dynedain (141758) | more than 5 years ago | (#27508255)

The author was arguing that one of the primary reasons to do captcha breaking is to get freebee email accounts on GMail/Yahoo to send spam from.

Limit the email the account can send, and you reduce the desire for the account. Reduce the usefullness of the account, and you reduce the desire to crack the captcha on new account signups, or at least the profitability in doing so.

It's one approach that would make a difference, but it's clearly not the only solution.

Re:My solution is simple & elegant: (0)

Anonymous Coward | more than 5 years ago | (#27508425)

You can copy & paste comments from TFA?

ZOMG! You win teh intartubes!

Re:My solution is simple & elegant: (2, Insightful)

Phroggy (441) | more than 5 years ago | (#27508583)

I have suggested a solution more times than I care to count:

There's your first clue that maybe your solution isn't the be-all-end-all you think it is.

impose default caps on sent emails per account, IP, whatever, until the sender has been established as a legit sender of mass mails.

OK, but who are you suggesting should impose these default caps? ISPs? That's fine, but the only way an ISP can do this is by firewalling outbound port 25 and requiring all their customers to relay mail through the ISP's mail server. A lot of ISPs do this and I wish more of them would, but it can cause problems for customers (if you're required to relay through your company's SMTP server instead and they haven't configured an alternate port such as 587, or if the ISP's SMTP server is poorly configured/overloaded/hacked/broken, then the user can't send mail and the resulting customer service calls are pretty expensive for the ISP and could drive the customer to leave).

On top of that, a lot of people are migrating away from traditional POP3/IMAP/SMTP e-mail accounts, and just using webmail services instead. Webmail services, of course, can impose all kinds of limits on the activities of their users, but these limits only make sense on a per-account basis. You can't put limits on the number of messages sent from one IP address regardless of who's logged in, because there could be 300 different users all connecting through a proxy server on one IP, and you have no way to tell the difference.

So, you have to limit each account. But a spammer can easily sign up for multiple accounts, using an automated program! Then they can get around your restrictions, by logging in on 300 different accounts and sending one e-mail from each of them. How do you prevent this?

By using a CAPTCHA.

Which is what we're talking about.

Thanks for playing!

That wooshing sound.... (5, Insightful)

ivan256 (17499) | more than 5 years ago | (#27508065)

...is the point going right over the author's head.

A CAPTCHA works well enough for the same reason greylisting works well enough. They may be trivial to bypass (for some definition of 'trivial'), buy many applications only need a tiny speed-bump to make a huge difference in undesirable traffic.

Re:That wooshing sound.... (1)

geekoid (135745) | more than 5 years ago | (#27508161)

I think the point here is it won't even be a speed bump soon.

Re:That wooshing sound.... (2, Informative)

qoncept (599709) | more than 5 years ago | (#27508315)

I think you're missing the point. CAPTCHA isn't a speed bump. Anyone that is going to take the time to make a bot to spam your site is going to take an extra minute to add a hack for your CAPTCHA or cat picture or sound or simple question. And saying you have to make CAPTCHA difficult for humans to read to be effective is a pretty major understatement. It should read "Computers are better at it than people."

Re:That wooshing sound.... (1)

nine-times (778537) | more than 5 years ago | (#27508415)

Well I think you make a good point: for many sites, it's not particularly worth the effort to break the capatcha. On the other hand, it may be worth the effort for some sites, and it will be broken for the sake of those sites.

Once they've figured out how to break those, they might (possibly) be able to apply the same technique to everyone else with little overhead. But really, that's not even the point. If spammers can hack verification on major sites and get access to millions of free email addresses, then that's enough to worry about.

Re:That wooshing sound.... (4, Interesting)

RobertB-DC (622190) | more than 5 years ago | (#27508521)

They may be trivial to bypass (for some definition of 'trivial'), buy many applications only need a tiny speed-bump to make a huge difference in undesirable traffic.

Plus, if you're using ReCaptcha [recaptcha.net] , you're making the spammers do a little bit of good for the world. If they can develop software that reliably cracks ReCaptcha, then they've solved a lot tougher problem than just pushing v1@g@r@.

Re:That wooshing sound.... (4, Insightful)

Lord Ender (156273) | more than 5 years ago | (#27508647)

CAPTCHAs have moved far past "tiny speed bumps" for me. Many are case sensitive yet vary letter size greatly; they use fonts which make the number 1 and the letter l identical; and they smash things together making, for example "m" and "n n" identical.

Implementers also suck royally. Sites often require a long list of information be typed, including redundant passwords. Then they lose ALL that information when you get the CAPTCHA wrong. Some get caching all screwed up. It's a mess.

CAPTCHAs today are so much worse than "speed bumps" for regular users, that I'm beginning to wonder whether I, myself, am a bot. The internet is becoming unusable to me.

question and answer seem to work well (4, Funny)

get quad (917331) | more than 5 years ago | (#27508077)

...until AI gets smart enough to answer questions intuitively.

Re:question and answer seem to work well (4, Funny)

RichardJenkins (1362463) | more than 5 years ago | (#27508313)

At that point spam will be the least of you worries, fleshbag.

Re:question and answer seem to work well (2, Funny)

HTH NE1 (675604) | more than 5 years ago | (#27508437)

"Are you alive?"

"Yes."

"Prove it."

(ignore this) (0)

Anonymous Coward | more than 5 years ago | (#27508465)

(Just to void my moderation which went wrong...)

Re:(ignore this) (1)

etrusco (576870) | more than 5 years ago | (#27508487)

to hell with karma...

Browsing Trends (0)

Anonymous Coward | more than 5 years ago | (#27508129)

I'm surprized more web developers don't observe the browsing trends of the bots before they subscribe.

For example, if the bot "lands" on the registration page only when it attempts to register, and it hasn't looked at other pages on the site yet, there's a good chance it's a bot.

You could use this information in a few ways. For example, put a stronger captcha for that user (bot) to get through, or somehow flag that registration for review and delay its usage.

I realize this approach is much more complex to implement, but I really think it improves filtering, not to mention better usability for the end-user (maybe you wouldn't even need a captcha for them if their browsing pattern looks legitimate).

Re:Browsing Trends (2, Insightful)

shadow349 (1034412) | more than 5 years ago | (#27508297)

All the bot needs to do is do a google search for "site:example.com", hit a random sampling of the results, and then register.

In the grand scheme of things, it probably only adds a few percent of overhead for the bot.

Re:Browsing Trends (0)

Anonymous Coward | more than 5 years ago | (#27508431)

I agree there are ways to circumvent it, but the majority of bots will not go to the trouble of doing that, and that's the key.

Another idea would be to observe mouse movements through Javascript to detect a real user. This would be VERY inefficient for a bot, and probably not worth the while.

Plus, it's not like the bot developers know what they're looking for when you implement these measures (and you don't give them clues).

Again, the key is to make it really difficult for them and have them give up. It's not perfect, nor does it need to be.

Re:Browsing Trends (2, Informative)

Attila Dimedici (1036002) | more than 5 years ago | (#27508617)

I agree there are ways to circumvent it, but the majority of bots will not go to the trouble of doing that, and that's the key.

Another idea would be to observe mouse movements through Javascript to detect a real user. This would be VERY inefficient for a bot, and probably not worth the while.

This would work great until the majority of websites do it, then it is worth the overhead for the bot to go to the trouble of doing it. When CAPTCHA started it wasn't worth the bot writers' trouble to crack it. They just went to easier sites, but as more and more sites adopted CAPTCHA the value of cracking it became greater. Any successful system will eventually be adopted by a large enough number of websites to make it worth the bot writers' time to crack. At which time they will.

Re:Browsing Trends (1)

clone53421 (1310749) | more than 5 years ago | (#27508641)

...which is why a home-rolled system will probably always be more efficient, as long as it's sufficiently different from the majority of other solutions and remains so (obscuring it somehow to avoid copycats might be a good thing).

Re:Browsing Trends (0)

Anonymous Coward | more than 5 years ago | (#27508767)

You're right that eventually this will happen.

But in the meantime, why not switch while everyone else is wasting their time with CAPTCHAs, and enjoy knocking out 99% of your spam for a couple years?

After that, switch things up again.

It really isn't that difficult to foil a bot, once you understand how scraping/crawling in general works.

The challenge, as you've alluded to, is implementing this across millions of small sites where developers don't have the resources to implement their own scripts.

If your site is important enough though (and gets substantial traffic), it's not that difficult to use your imagination, and make it difficult for bots.

I do this myself all the time...

Re:Browsing Trends (1)

caramelcarrot (778148) | more than 5 years ago | (#27508355)

Some sort of bayesian analysis of the http access logs of a specific ip would probably suffice as a general stratergy.

Whenever I've looked at automating scraping or whatever of some sites, it's occured to me how easy it would be to block by behaviour - like how scraping tools tend not to download images or make attempts at precise intervals. Obviously all this behaviour could be replicated, but it'd be a lot more work and would put limits on what the bot could do.

What about ... (0)

Anonymous Coward | more than 5 years ago | (#27508137)

Use 3 images on one side, and ask a question about each image on the other side. There must be more then one question for each image as to not have the same 3 images and questions combos popping up. Then, use a 3 strike approach and ban the IP for a day if it strikes out.

Re:What about ... (2, Interesting)

snowraver1 (1052510) | more than 5 years ago | (#27508267)

you could use the same questions for every picture, just make them generic:

Example: Picture of cat.

Question 1: Does this fly?

Question 2: Is this living?

Question 3: Would a human be able to pick this up?, etc.

Re:What about ... (1)

JimFive (1064958) | more than 5 years ago | (#27508409)

How many questions are you going to have? 3 yes/no questions 8 possibilities Random guessing passes 1 in 8 no problem for the bot 10 yes/no questions 1024 possibilities 1 in 1024 for the bot, still not really a problem. But is getting annoying for the user. The point in the article (I know, I know) is that breaking the captcha is more valuable to the spammer than solving it is to the user. So, it has to be easy or you won't get any legitimate users. But if it's easy, the bots will get through. -- JimFive

Re:What about ... (0)

Anonymous Coward | more than 5 years ago | (#27508429)

Those are all binary decisions; the computer will get them right 50% of the time. You need questions that the computer will get wrong 99.99% of the time but the human will get right 99% of the time.

Re:What about ... (1)

sunking2 (521698) | more than 5 years ago | (#27508479)

1: It does if I throw it hard enough

2: No, I threw it against the wall.

3: No, its a picture on my lcd thats bolted to the wall.

Do I have access yet? Question/Answer is just too freeform and questionable. They would frustrate way too many people as they require reading and understanding and at least some degree of thinking. If you make it multiple choice then you've really just made it a guessing game where brute force and volume will be all that matters. Captchas are annoying as well, but pretty simple to do.

Annoyance (4, Insightful)

Renraku (518261) | more than 5 years ago | (#27508153)

That's where the issue is.

I've been a nerd since I was born. Grew up with early computers. Watched them evolve until now. But nothing makes me feel dumber than trying a CAPTCHA 5 or 6 times and failing every time. Its a serious annoyance and I've seen WORSE that I haven't even attempted.

Just accept the truth ... (4, Funny)

jbeaupre (752124) | more than 5 years ago | (#27508199)

... you are a computer. Life, er, up-time will be easier.

After three tries (2, Interesting)

geekoid (135745) | more than 5 years ago | (#27508177)

block the I address for 10 minutes, then an hour then a day.

Re:After three tries (0)

Anonymous Coward | more than 5 years ago | (#27508215)

I need more than 3

Re:After three tries (1)

AvitarX (172628) | more than 5 years ago | (#27508265)

I've failed 3 CAPTHAs in a row more than a few times.

I'm terrible at them though.

Re:After three tries (1)

geekoid (135745) | more than 5 years ago | (#27508749)

So? no forum for you. So Sad.

On the plus side, with this technique, you wouldn't need to change them with every guess.

CAPTCHAs work as well as DRM... (3, Insightful)

Anita Coney (648748) | more than 5 years ago | (#27508197)

... which is another way of saying they really doesn't work at all. Both annoy legitimate customers and users while still allowing those with nefarious motives to do whatever they wanted to do in the first place.

kittenauth (0)

Anonymous Coward | more than 5 years ago | (#27508237)

This is the answer:
http://www.thepcspy.com/kittenauth
http://www.artsoft.org/phpbb_ka/

Stuck in the old ways (5, Insightful)

Anonymous Coward | more than 5 years ago | (#27508245)

Everyone seems to think that the answer to this is to challenge the user somehow. Why isn't a technical solution possible that doesn't require any interaction from a person?

On my own contact forms, I use a really simple obfuscation technique, it doesn't require any user interaction, and I don't get any spam. I've chosen to name my form elements with meaningless names, because obviously automated spammers rely on field names to fill in the blanks. If they see a form like this:

<input type="text" name="email">
<input type="text" name="subject">
<input type="text" name="message">

Obviously it's pretty easy to fill out. If they see this instead:

<input type="text" name="sj38d74j">
<input type="text" name="9sk2i84h">
<input type="text" name="m29s784j">

Then they probably won't even make it past the email validation part, unless they catch the error that my page is printing and try all combinations (or get lucky).

It makes it even more effective when you use fields with good names, but hide them from users with either CSS or Javascript:

<input type="text" name="email" style="display: none;">

That's a honeypot, if it's filled out then it's a robot. You can use the same CSS or Javascript techniques to also print messages informing users not to fill those out if their browser decides to not run my code and instead shows them.

Really simple solution, requiring no user interaction, and is at least if not more effective than a challenge and response type of solution. I don't know why everyone is hung up on a visual challenge when it's a lot easier to distinguish between a real web browser and a scraper that doesn't bother to execute Javascript or apply CSS. I've been saying this for years though, so I don't really expect anyone to start paying attention now.. at least my own inbox is spam-free though.

How does that work with Auto-Fill mechanisms? (1)

SuperKendall (25149) | more than 5 years ago | (#27508361)

I like the general idea, however a problem I see is that mechanisms that auto-fill forms for you (like your name and email address) may not work on your page - and even worse might populate that honey pot field the same way a bot would.

Re:How does that work with Auto-Fill mechanisms? (1)

clone53421 (1310749) | more than 5 years ago | (#27508569)

Auto-fill tools work by remembering the previous values of the fields. As long as the field names weren't changed from visit to visit, it should work fine.

If you're talking about the robo-form fillers that try to fill out forms that you've never visited before, it'd be easy enough to clear the honeypot inputs using Javascript after the page was loaded. A robot most likely wouldn't execute the Javascript.

Re:Stuck in the old ways (1)

egandalf (1051424) | more than 5 years ago | (#27508555)

Those are some very good ideas... would that I had some mod points.

I may be able to implement those ideas in the future, but for now I'm using reCaptcha, which is dual-benefit. Helping OCR some old text for preservation and keeping spam off my site.

Thanks for the ideas.

Re:Stuck in the old ways (1)

dragoncortez (603226) | more than 5 years ago | (#27508665)

That's great for now, but if that approach becomes more common, it will be just as easy to overcome as today's CAPTCHAs. The article is saying that we need systems that take automation out of the picture. Caps on number of messages/emails sent. Heuristic "profiling" on accounts. Reverse spam filtering. Methods that catch the bots after registering, rather than relying on the registration form as your sole defense.

Re:Stuck in the old ways (1)

sifur (1423871) | more than 5 years ago | (#27508751)

An excellent solution.

Captured by Captchas! (0)

Anonymous Coward | more than 5 years ago | (#27508285)

Help! Help! I've been captured by captchas! I'm now forced to post as Anonymous Coward so I can enjoy the beauty and wisdom of the Slashdot captcha!

Hee hee ha ha!!! Help I need taken away to Captcha land!! he he ha ha haha!!

One captcha I've seen... (2, Interesting)

smooth wombat (796938) | more than 5 years ago | (#27508287)

has a different take on the subject. Rather than trying to obscure the image with lines or similar measures, it uses a series of letters, some of which are a color. You are then asked to type in the colored letters to proceed.

I don't know if these are static images or generated each time but the owner claims his site has almost no spammers (i.e. people have to do it, not machines).

Great for daltonists (1)

kosmosik (654958) | more than 5 years ago | (#27508375)

Srly - great. :)

Re:One captcha I've seen... (1)

clone53421 (1310749) | more than 5 years ago | (#27508483)

His site probably also doesn't have many colourblind users.

Re:One captcha I've seen... (1)

smooth wombat (796938) | more than 5 years ago | (#27508599)

His site has hundreds of thousands of registered users so I am presuming he has a few. He does have an alternative method for color blind people to use.

Re:One captcha I've seen... (1)

JimFive (1064958) | more than 5 years ago | (#27508525)

How hard could it be to strip out the uncolored letters, send the image through a quick OCR and pipe the text into the field?
--
JimFive

Re:One captcha I've seen... (1)

AvitarX (172628) | more than 5 years ago | (#27508527)

More likely is that the site is not high enough profile and the CAPTCHA is unique enough that no software tries to do it.

The thing about CAPTCHAs is that they require some effort, and a significant amount of up front effort even. So if a site is not high profile, and it does not use a CAPTCHA that is like others, it will go un-noticed.

After-all there are plenty of other sites that take less effort. I would otherwise think that the CAPTCHA you describe is trivial for both computers and humans.

Re:One captcha I've seen... (4, Interesting)

Kimos (859729) | more than 5 years ago | (#27508663)

There are a few flaws with this idea. Primarily that it blocks colorblind individuals from registering for the site, and there are much more colorblind internet users than visually and hearing impaired.

This is also not very difficult to break. Assuming that the letters and numbers aren't obfuscated the same way CAPTCHA images are (if they are then this is just another CAPTCHA), a bot would be able to parse the characters out of the image. It could then classify the characters into groups of colors, pick one group randomly, and guess. There couldn't be more than four or five colors in the image since asking to differentiate between aqua/navy/royal/pale blue is unreasonable for a human (but interestingly enough, not difficult for a computer). That would give you a bot with a ~20-25% accuracy rate.

Beyond that, you could parse the question as well, looking for the words red, blue, green, black, etc. and classify ranges of hex colors into associated color names. That would greatly increase success rate of guesses.

This is not a reliable CAPTCHA replacement and in fact seems not very difficult to break.

How about analogies? (1)

Mike Blakemore (999177) | more than 5 years ago | (#27508307)

CAPTCHA is to Broken as The Economy is to:

a) Cowboy Neal

b) f*ked

c) RickRolled! [youtube.com]

Re:How about analogies? (1)

danwesnor (896499) | more than 5 years ago | (#27508589)

When a rickrolling reference shows up in something as lame as the Macy's parade, it's time to stop making rickrolling references.

Wrong implementation (3, Informative)

js3 (319268) | more than 5 years ago | (#27508351)

Most CAPTCHAs are hacked because their implementation is amatuerish. They are hacked by resusing session ids or dictionary attacks and nothing to do with actual image itself. Long story short CAPTCHAs reduce the amount of spam by more than 50% simply because it's not worth the effort for a spambot to break it, after all they have the entire internet to spam.

Some are good some are bad and most are downright horrible, but you wouldn't want your favorite forum to be trolled by spambots would ya? Might as well live with it. Nothing works 100% you should know that by now

Re:Wrong implementation (1)

Cro Magnon (467622) | more than 5 years ago | (#27508631)

but you wouldn't want your favorite forum to be trolled by spambots would ya?

My favorite site is /. It's already trolled by spambots, you insensitive clod.

can't be done (0)

Anonymous Coward | more than 5 years ago | (#27508391)

we are all just programs living inside the matrix of reality. it then goes to show that the programs we write could therefore exhibit and exploit any traits which we claim make us human, thus making it very difficult to find a simple test to express what is a conscious living human person.

also, "self awareness" is a lie.

New option for stopping bots (1)

thewiz (24994) | more than 5 years ago | (#27508445)

It looks like we need a different approach to stop the bots.

Nuke the sites from orbit; it's the only way to be sure.

Limit services based on effort expended (4, Interesting)

davidwr (791652) | more than 5 years ago | (#27508475)

The more effort someone is willing to put out to prove they are human or are backed by a human willing to be responsible for problems, the more abuse-able services you give them.

For example, e-mail service providers could offer several tiers:

Simple signup/new accounts:
Limited number and size of incoming and outgoing messages.

Verified signup/driver's license with confirmation by paper mail:
Nearly-full, with shutoff or limitations imposed at first sign of abuse.

Verified signup/credit card with confirmation:
Nearly-full, with shutoff or limitations imposed at first sign of abuse.

Established account, with a pattern of usage indicative of a human over a period of several weeks:
Nearly-full, with shutoff or limitations imposed at first sign of abuse.

Credentialed user, backed by a substantial bond or deposit and an explanation of why suspicious behavior really is legitimate:
Full access plus a free pass on "legitimate" suspicious behavior until someone complains, but if it's abused then throttle him and take the costs out of his deposit.

The catchpa is fundamentally flawed (1)

onyxruby (118189) | more than 5 years ago | (#27508507)

It's doomed because it's fundamentally flawed. When you can hire someone in India to crack them by the thousands (per day) for cheap wages, it's all moot. It doesn't matter what you do for lettering and whatnot when you have an intelligent human perfectly willing to solve them. They just happen to be in the employ of spammers. They make catchpas on the assumption it isn't worth someones time to crack them, the problem is they are placing value on time / labor expenditure at local rates and not those in India.

Blogs? (1)

AdmiralXyz (1378985) | more than 5 years ago | (#27508509)

I was under the impression that there was some kind of Slashdot policy against submitting links to your own (rather uninsightful) blog. Evidently I was mistaken.

Stopping bots is easy... (5, Funny)

MrBippers (1091791) | more than 5 years ago | (#27508533)

Solve the following math problem to continue:
1/0 = ?

What about intellect/language? (1, Interesting)

Anonymous Coward | more than 5 years ago | (#27508541)

There is a different way to manage obscurity/captchas: simply generate strangely worded questions with obvious answers.

Maybe I've missed something, but wouldn't a bot have significant trouble coming up with the answer to a question like:
What does a person see with? (plural)

Not that anyone would be able to get past the 'who was the n-th president of the U.S' approach.

It's a Turing test (1, Insightful)

garyebickford (222422) | more than 5 years ago | (#27508609)

CAPTCHAs are simple Turing tests. As computers get faster and software gets smarter, it will become harder and harder to tell them apart. Also, since humans have a broad spectrum of ability, there will be an increasing percentage of humans who can not pass the tests.

For example, math students who can not tell a Rembrandt from a Picasso, and art students who can't determine the roots of a simple quadratic. (See, I'm not picking on anyone in particular - we are all ignorant in most fields.)

In future we will get to a point where the computers can design CAPTCHAs that no human can solve, but robots can!

Re:It's a Turing test (0)

Anonymous Coward | more than 5 years ago | (#27508683)

captcha's are idiotic turing tests. identification of a symbol and determining if something is human are pretty far flung goals and the former is infinitely easier than the latter. show me a *correct* automated turing test and i'll show you proof that there is no such thing as self awareness. (what are you gonna do, ask someone if they're happy and why?)

FAPTCHA (0)

Anonymous Coward | more than 5 years ago | (#27508611)

I recently worked with a kid who was trying to implement a "faptcha" on his imageboard - it displays male or female body parts and you select with radio buttons what it is from a list. Although, this is a pretty M rated solution. Whatever happened to "Cat or Kitten"?

Solving by porn users? (0)

Anonymous Coward | more than 5 years ago | (#27508643)

Has anyone ever been to a site where you have to solve a captcha in return for porn? I've seen my share of sites and never found one that does. I guess everybody assumes that somewhere somebody's got to be trying it, but nobody actually is.

Social drawback of captchas (1)

da.phreak (820640) | more than 5 years ago | (#27508645)

One major problem of captchas is that usually blind users can't solve the captcha. So you effectively lock out disabled persons from your website, a fact that is rarely mentioned in association with captchas. I think disabled people have enough problems already, there's no reason to further annoy them with captchas (I'm even annoyed by them as a not-disabled person).

Anonymous Coward (1)

Anonymous Coward | more than 5 years ago | (#27508659)

I've found the best method is not relying solely on CAPTCHAs.

1. Build a simple CAPTCHA to catch most spam bots, yet something that my grandma can easily read.

2. Create a form field and set the display style attribute to 'none' to hide it. Bots tend to fill in all fields, so if the field comes back with something in it, chances are it was a bot submission.

I've recently implemented this technique on a very heavily spammed contact form and haven't seen a single bot slide past.

NO! Really?! (1)

denmarkw00t (892627) | more than 5 years ago | (#27508675)

Come on now, I know we've discussed the demise of the CAPTCHA here on /. before. Its simple, though, to see that we'll need to innovate for more solid methods of checking human vs. computer, if you've seen one CAPTCHA you've likely seen 50 different styles, which should be a clear sign that developers are struggling to keep up with the enemy, as usual, but as long as we keep innovating, the spammers will have to continue innovating as well. There won't ever [likely] be a solid, full-proof solution for detecting a human vs. a bot as far as testing the "user" against some set of images or speech even.

Take away the incentive (1)

AmBoy00 (812165) | more than 5 years ago | (#27508735)

It seems to me (which admittedly is very limited) that spam comments are only as valuable as google/users allow them to be. Most users can recognize a spam comment and ignore them, but Google can recognize links. Make links have "nofollow" in them.

Something like this perhaps (1)

jlcooke (50413) | more than 5 years ago | (#27508747)

The key is to make the bots/spammers use more resources then they have.

Something like this [certainkey.com] can be used to slow down email address scanning bots.

Like sending email with hashcash, if you make the scammers work to get the right answer by requiring to compute a computationally complex formula (crypto function random walk distinguished points), they will not be able to keep up.

A website can pre-compute a table of (and continuously add to that table) challange-responses that a visitor must perform. A human will see a 5-15 second delay to registration, to a bot this can be intolorable.

Why does it have to be image based? (0)

Anonymous Coward | more than 5 years ago | (#27508753)

Why not use logic? I've been using it for my sites and it works great! Here's an example:

http://paramountroofingny.com/html/contact.php

Dave

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?