×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Analyzing CAPTCHAs

CmdrTaco posted more than 3 years ago | from the i-fail-more-than-i-win dept.

Security 105

Bruce Schneier's blog pointed me to a research paper on "Attacks and Design of Image Recognition CAPTCHAs" (PDF). The abstract says, "We systematically study the design of image recognition CAPTCHAs (IRCs) in this paper. We first review and examine all IRCs schemes known to us and evaluate each scheme against the practical requirements in CAPTCHA applications, particularly in large-scale real-life applications such as Gmail and Hotmail."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

105 comments

Niggers (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33793618)

Niggers. Yep I said niggers. Mod me down if you love to suck nigger dicks!!

go bruce... (-1)

Anonymous Coward | more than 3 years ago | (#33793628)

yeah... running low on things to study?

Re:go bruce... (0)

The Archon V2.0 (782634) | more than 3 years ago | (#33793736)

> yeah... running low on things to study?
Bruce is running low on things to study just as much as you're running low on articles to read.

PDF warning? (0, Troll)

clone53421 (1310749) | more than 3 years ago | (#33793648)

2nd link is a PDF. Thanks for the warning...

Re:PDF warning? (0, Offtopic)

jolyonr (560227) | more than 3 years ago | (#33793714)

2nd link is a PDF. Thanks for the warning...

I see they cunningly hid the pdf file in a link ending with the filename ccs10.pdf

Don't you check what links are before you click them?

Re:PDF warning? (0, Offtopic)

clone53421 (1310749) | more than 3 years ago | (#33793782)

Not always when they’re in the summary...

Sure, I probably should, but still...

Re:PDF warning? (2, Funny)

jolyonr (560227) | more than 3 years ago | (#33793804)

And my apologies back to you and the rest of slashdot for using the phrase 'pdf file'

I should know better!

Re:PDF warning? (2, Funny)

Zelkan (1794876) | more than 3 years ago | (#33793898)

Sounds like a Freudian slip. Got something to tell us about your love for children?

Re:PDF warning? (0, Offtopic)

gstoddart (321705) | more than 3 years ago | (#33794066)

And my apologies back to you and the rest of slashdot for using the phrase 'pdf file'

Except, the F doesn't stand for File, it stands for Format [wikipedia.org].

So, it most assuredly is a PDF file. It's not like saying "PIN Number", which is what you are implying.

Re:PDF warning? (1)

GasparGMSwordsman (753396) | more than 3 years ago | (#33799810)

And my apologies back to you and the rest of slashdot for using the phrase 'pdf file'

I should know better!

Its ok, we forgive you. But from now /. is going to require you to type in your PIN number. Not the same PIN number you use at the ATM machine though.

Re:PDF warning? (0, Offtopic)

ElectricTurtle (1171201) | more than 3 years ago | (#33793800)

One wonders how many times he has been Rick Roll'd and Goatse'd.

Re:PDF warning? (1)

clone53421 (1310749) | more than 3 years ago | (#33793870)

Eh, a few.

Best rickroll I’ve seen was written in assembly code and instructed you to paste it into DEBUG, resulting in a never-ending loop playing the first stanza or two. I ran it in DOSBox just to be on the safe side...

Best goatse was a black PNG with the image stored in the alpha channel.

Re:PDF warning? (0)

Anonymous Coward | more than 3 years ago | (#33794374)

Link or it didn't happen

Re:PDF warning? (0)

Anonymous Coward | more than 3 years ago | (#33794414)

Wow... you are a masochist!

Re:PDF warning? (0)

Anonymous Coward | more than 3 years ago | (#33793740)

Hope you survive bro.

2010 Re:PDF warning? (1)

weeeeed (675324) | more than 3 years ago | (#33793910)

It's 2010, get a life. Comments like this were funny sometimes around 1996.

Re:2010 Re:PDF warning? (1)

Culture20 (968837) | more than 3 years ago | (#33794540)

It's 2010, get a life. Comments like this were funny sometimes around 1996.

It's 2010. In 1996, PDFs weren't a potential security vulnerability.

hmm... (2, Insightful)

radicalpi (1407259) | more than 3 years ago | (#33793670)

I wonder how long until we have no way of distinguishing a bot from a person. existing CAPTCHAs don't work all that well, and I can't see future ones working much better for very long. The Cylons are among us! Any one of us could be one!

Re:hmm... (1)

fifedrum (611338) | more than 3 years ago | (#33793746)

I hear you can just pay people to sit in front of a PC all day solving captchas, and it's cheaper than a bot.

Re:hmm... (2, Funny)

radicalpi (1407259) | more than 3 years ago | (#33793774)

Yeah, they're Cylons.

Not Cylons, Nigerians (1)

wsanders (114993) | more than 3 years ago | (#33796262)

I dealt with spam sent via phished passwords in a previous job. No one could relay through our site, and our IDS blocked large mail bombs via authenticated SMTP and IMAP, so the spammers always got in by logging in via the HTTP interface and apparently cutting and pasting spam messages one recipient at a time.

About 3/4 of the spammy logins were from Nigeria and Togo and the rest were from various places like Israel, Saudi Arabia, and various UAE states. It's the ultimate work from home job!

Re:hmm... (1)

ElectricTurtle (1171201) | more than 3 years ago | (#33793820)

Mechanical Turk FTW. Apparently we don't really need strong AI so long as we have cheap labor in the 3rd world.

Industry in WORLD 3-1 (0, Offtopic)

tepples (727027) | more than 3 years ago | (#33793872)

Apparently we don't really need strong AI so long as we have cheap labor in the 3rd world.

Then perhaps we need to send people down the tube at the end of world 1-2 [flickr.com] to build roads and the like so that we can industrialize the 3rd world and make the labor more valuable.

Re:hmm... (1)

cheekyjohnson (1873388) | more than 3 years ago | (#33796106)

Cheaper? Maybe for the initial cost of developing such a bot for a temporary amount of time, but the bot doesn't cost anything after that as far as I know.

Re:hmm... (4, Funny)

melikamp (631205) | more than 3 years ago | (#33793900)

It's happening already, I think, with turn-key solutions floating around featuring 20-35% accuracy. I don't have 100%, more like 80% or so, and I am a human.

OT, but I found a way to make RECAPTCHA entertaining. With two words given, I always just type one of the words, and put "fuck" for the other. The accuracy falls below 50%, but the giggles make it all worthwhile.

Re:hmm... (1)

clone53421 (1310749) | more than 3 years ago | (#33793922)

OT, but I found a way to make RECAPTCHA entertaining. With two words given, I always just type one of the words, and put "fuck" for the other. The accuracy falls below 50%, but the giggles make it all worthwhile.

Below 50%? I probably average ~90% ... the key is in figuring out which word you have to get correct. There’s always the button to get a different captcha if you can’t tell on the one it gave you...

Re:hmm... (1)

melikamp (631205) | more than 3 years ago | (#33794214)

You are right, most of the time they look sufficiently different: the challenge is longish and more scrambled, while the optional is shorter and looks like a shitty scan. Sometimes, though, they do look pretty damn identical. Guys, let's all write "fuck" in RECAPTCHA, that way we may actually make a difference.

Re:hmm... (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33793988)

...and I am a human.

Can you prove that?

Re:hmm... (1)

lxs (131946) | more than 3 years ago | (#33794208)

I have come to the conclusion that I am a bot. Half the time I can't read those captcha thingies.

Re:hmm... (1)

Bigjeff5 (1143585) | more than 3 years ago | (#33794750)

Same here, I spent 15 minutes trying to get one to work the other day, but the letters were so messed up and the words so nonsensical that I couldn't manage it. So I tried the audio option. Makes sense right? Just listen to the words and it'll be easy! Except the audio was so fucked I couldn't understand it.

I managed to get in eventually, but I'm avoiding that website from now on.

Re:hmm... (0)

Anonymous Coward | more than 3 years ago | (#33798076)

Ever tried the audio version? Holy crap! My blind friend have up almost immediately. All the static of the images, but translated to SOUND!!!

Re:hmm... (0)

Anonymous Coward | more than 3 years ago | (#33802200)

Since 4chan implemented reCAPTCHA, there have been various instructional guides on how to game it.

The short of it is that only one of the words (the computer-generated) one is needed to complete the captcha. reCAPTCHA will never generate any of the following words: foreign words, numbers, words with punctuation in them or before/after them, words in a different font, words with capital letters, words with a background, or words with lots of dots around them (a product of scanning). reCAPTCHA is also prone to generating not-real words. If there is a word that is real and a word that is fake, the fake word is the computer-generated one and the one you have to get right. It takes a bit of practice, but since every post on 4chan requires the user to fill in the reCAPTCHA, I've personally gotten very used to solving them and can rapidly figure out which is fake and which is real.

Re:hmm... (1)

gstoddart (321705) | more than 3 years ago | (#33794266)

I wonder how long until we have no way of distinguishing a bot from a person.

Well, there's always the Turing Test [wikipedia.org], but that could make signing into web sites a real nuisance. :-P

Also this... (1)

KingAlanI (1270538) | more than 3 years ago | (#33797204)

...There was a Numb3rs episode wherein a supercomputer was programmed to fake its way through a Turing test. Cool concept.

Re:hmm... (4, Interesting)

tlhIngan (30335) | more than 3 years ago | (#33794840)

I wonder how long until we have no way of distinguishing a bot from a person. existing CAPTCHAs don't work all that well, and I can't see future ones working much better for very long. The Cylons are among us! Any one of us could be one!

Well, CAPTCHAs worked because they relied on vision tests - a skill that humans still do better than computers, but computer vision is already quite advanced. Then the countermeasures came where CAPTCHAs started getting so distorted that it was impossible to determine the code (I remember a forum I signed up for - too more than 15 tries and a cookie reset).

However, there are still difficult-for-computer-but-easy-on-humans tasks that can be done. I'm surprised no one's yet hooked a way into the Amazon Mechanical Turk or the like. Perhaps a simple one can be where you show a panoramic view along a busy street. Then you ask the question "What is the name of the store at number 763?" Or "What is the street number of ZZZ Supermarkets along this street?". "There is a large group of friends gathered near XXX store. How many people are in the group?"

Or simpler ones - if your forum or other thing is about a specific topic, ask a question about that topic. Or even self-referential ones. "What of the following will an art thief steal? A) Mona Lisa, B) Big screen HDTV, C) Cellphone, D) Money".

Might as well advance the state of things like image recognition and natural language queries while we're at it.

Re:hmm... (0)

Anonymous Coward | more than 3 years ago | (#33796610)

"There is a large group of friends gathered near XXX store..."

They should probably strive to keep CAPTCHAs PG.

Re:hmm... (1)

coolvenk (1128477) | more than 3 years ago | (#33796968)

.

However, there are still difficult-for-computer-but-easy-on-humans tasks that can be done. I'm surprised no one's yet hooked a way into the Amazon Mechanical Turk or the like. Perhaps a simple one can be where you show a panoramic view along a busy street. Then you ask the question "What is the name of the store at number 763?" Or "What is the street number of ZZZ Supermarkets along this street?". "There is a large group of friends gathered near XXX store. How many people are in the group?"

Or simpler ones - if your forum or other thing is about a specific topic, ask a question about that topic. Or even self-referential ones. "What of the following will an art thief steal? A) Mona Lisa, B) Big screen HDTV, C) Cellphone, D) Money".

Might as well advance the state of things like image recognition and natural language queries while we're at it.

Coz with the alternatives you propose a human has to first figure out the correct answer to compare against the user's response in a CAPTcha challenge. If they had an algorithm to figure it out, the attacker would use it too. And, millions of CAPTCHAs are served everyday, so they have to be automated.

Trivia questions... (1)

KingAlanI (1270538) | more than 3 years ago | (#33797288)

I recall how Planetarion [online game] used simple trivia questions in their CAPTCHAs. The arithmetic category was no problem, but a few of the simple trivia questions tripped me up, especially because they were Euro-centric (the game *is* based in the UK). I shouldn't have to Google for a CAPTCHA answer.

Re:hmm... (0)

Anonymous Coward | more than 3 years ago | (#33797682)

The point of a catchpa is that the tests are supposed to be automatically generated, in very large numbers. How do you do it for the tests you propose?

Re:hmm... (1)

residieu (577863) | more than 3 years ago | (#33795248)

Soon you'll be able to distinguish a bot from a person because only a bot will be able to read the CAPTCHA.

When they figure out how to win, YOU win (1)

Cajun Hell (725246) | more than 3 years ago | (#33795290)

At the point that it becomes impossible to distinguish them, you will no longer need to. Why discriminate against a bot, if it's able to participate in discussions (to an on-topic degree as well as humans), has its mind influenced by ads, etc?

Accessibility Issues (0)

Anonymous Coward | more than 3 years ago | (#33793808)

Most CAPTCAs are also inaccessible to vision impaired individuals.

Re:Accessibility Issues (0)

Anonymous Coward | more than 3 years ago | (#33794954)

didn't see that coming.

Re:Accessibility Issues (1)

KingAlanI (1270538) | more than 3 years ago | (#33797334)

A lot of CAPTCHAs have sound alternatives; since I can see a computer screen perfectly fine, I've never bothered checking them out, but I can test for curiosity's sake sometime.
Granted, that's another vector for attacker sin addition to improving site accessibility.

fake weather, fake aliens, fake god, what's next? (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33793816)

seeing as we came from monkeys, it would be reasonable that we wouldn't have a clue, except about the 'weather'?

the search continues;
google.com/search?hl=en&source=hp&q=weather+manipulation

google.com/search?hl=en&source=hp&q=bush+cheney+wolfowitz+rumsfeld+wmd+oil+freemason+blair+obama+weather+authors

meanwhile (as it may take a while longer to finish wrecking this 'universe'); the corepirate nazi illuminati (who believe that they didn't come from monkeys) is always hunting that patch of red on almost everyones' neck. if they cannot find yours (greed, fear ego etc...) then you can go starve, while they continue to consume, destroy, waste immeasurable amounts of stuff/life, & feasting on nubile virgins, while insisting that we 'monkeys' use/do MUCH less. that's their (slippery/slimy) 'platform' now. see also: http://en.wikipedia.org/wiki/Antisocial_personality_disorder-- get ready to meet the goat devil.

never a better time to consult with/trust in our creators. the lights are coming up rapidly all over now. see you there?

greed, fear & ego (in any order) are unprecedented evile's primary weapons. those, along with deception & coercion, helps most of us remain (unwittingly?) dependent on its' life0cidal hired goons' agenda. most of our dwindling resources are being squandered on the 'wars', & continuation of the billionerrors stock markup FraUD/pyramid schemes. nobody ever mentions the real long term costs of those debacles in both life & any notion of prosperity for us, or our children. not to mention the abuse of the consciences of those of us who still have one, & the terminal damage to our atmosphere (see also: manufactured 'weather', hot etc...). see you on the other side of it? the lights are coming up all over now. the fairytail is winding down now. let your conscience be your guide. you can be more helpful than you might have imagined. we now have some choices. meanwhile; don't forget to get a little more oxygen on your brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.

"The current rate of extinction is around 10 to 100 times the usual background level, and has been elevated above the background level since the Pleistocene. The current extinction rate is more rapid than in any other extinction event in earth history, and 50% of species could be extinct by the end of this century. While the role of humans is unclear in the longer-term extinction pattern, it is clear that factors such as deforestation, habitat destruction, hunting, the introduction of non-native species, pollution and climate change have reduced biodiversity profoundly.' (wiki)

Too focused on being perfect (1)

js3 (319268) | more than 3 years ago | (#33793834)

My experience with captcha is they are too focused on being the perfect system, to the point where it goes from a simple annoyance to almost impossible to access whatever it's protecting.

Re:Too focused on being perfect (3, Insightful)

Cro Magnon (467622) | more than 3 years ago | (#33794002)

At some point, CAPTCHAs will reach the point where ONLY a bot can get past them.

Re:Too focused on being perfect (3, Insightful)

clone53421 (1310749) | more than 3 years ago | (#33794032)

Then they’re designed wrong.

You should at least skim over the paper, that’s actually a significant portion of what it’s focused on... finding something that humans are good at and bots are not. As better bots have been written, that may have changed significantly... most present CAPTCHA systems are relatively broken.

Re:Too focused on being perfect (1)

Bigjeff5 (1143585) | more than 3 years ago | (#33794786)

The GP's point was that there are captchas out there that are very difficult for even human readers to understand. However, pattern recognition software is getting better all the time, while human pattern recognition is generally fixed (It's phenomenal, but not improving). Eventually pattern recognition software will overtake the human pattern recognition ability, and then the only ones who will be able to past a captcha is a bot.

Re:Too focused on being perfect (1)

nomel (244635) | more than 3 years ago | (#33798692)

Well, then you move on to a harder pattern, such as "what mood was the writer in when they wrote this" or "does the puppy in this picture look sad?" or, "is the person pictured in a dangerous situation".

If we're at that point...then I would assume we would also have the ability to detect spam in a contextual sense!

Re:Too focused on being perfect (1)

binkzz (779594) | more than 3 years ago | (#33795740)

My experience with captcha is they are too focused on being the perfect system, to the point where it goes from a simple annoyance to almost impossible to access whatever it's protecting.

Then it's getting further away from being perfect. A perfect captcha would be unnoticed.

Chinese CAPTCHA farms (2, Informative)

Anonymous Coward | more than 3 years ago | (#33793862)

I have a friend that used to bot WoW for a couple years until Blizzard got the law on their side^H^H^H^H^H^H^H^H^H^H^H^H^H in their pocket. Turns out he used to redirect bot checking CAPTCHAs to an IRC channel where the paid minions would solve them.

CAPTCHA has been a moot point to me since I witnessed this process occur in real time.

Re:Chinese CAPTCHA farms (3, Informative)

buck-yar (164658) | more than 3 years ago | (#33793914)

I heard porn sites were require a captcha to view an image, but it was really a redirect from another captcha. So porn surfers were solving captchas for bots.

Re:Chinese CAPTCHA farms (0)

Anonymous Coward | more than 3 years ago | (#33794140)

I heard porn sites were require a captcha to view an image, but it was really a redirect from another captcha. So porn surfers were solving captchas for bots.

That works too, especially if you have a good topsite to redirect the captchas toward.

However, with IRC you can ensure that your workers are actually... "working" :)

Re:Chinese CAPTCHA farms (4, Funny)

clone53421 (1310749) | more than 3 years ago | (#33794192)

That works too, especially if you have a good topless site to redirect the captchas toward.

FTFY.

Why not... (1)

buck-yar (164658) | more than 3 years ago | (#33793942)

do captcha in a different way. Show an image of someone famous, like Obama, then ask who that person is. The answer key could have "Obama," "Barrack," "Barrack Obama" and every other iteration.

Re:Why not... (2, Insightful)

clone53421 (1310749) | more than 3 years ago | (#33793990)

There are only so many such images available for use, and the image library could fairly easily be exhausted and all of the images correctly identified at which point a bot could be used with near-100% accuracy.

Re:Why not... (3, Funny)

Rik Sweeney (471717) | more than 3 years ago | (#33794076)

There are only so many such images available for use

Not if they use images of Lady Gaga

Re:Why not... (1)

KarrdeSW (996917) | more than 3 years ago | (#33795954)

There are only so many such images available for use

Not if they use images of Lady Gaga

Except the idea only works if the answer isn't always Lady Gaga

In all seriousness, though... (1)

KingAlanI (1270538) | more than 3 years ago | (#33797526)

You're right, they can't all be pictures of the same person, but it seems like multiple pictures of the same person, mixed in with pictures of other people, could help or at least not hurt.

If the pictures of the same person look very different (Gaga's fashion choices would certainly be an example of that), that would help such a process

Re:Why not... (1)

KingAlanI (1270538) | more than 3 years ago | (#33797416)

she is the near complete opposite of a cartoon character in that respect (say, Bart's red shirt and blue shorts) - almost every day's outfit is *different*.

[I'm assuming the joke was about her divergent fashion selections)

Re:Why not... (0)

Anonymous Coward | more than 3 years ago | (#33794084)

Or even "Barack", the actual correct spelling of the POTUS's first name...

Re:Why not... (0)

Anonymous Coward | more than 3 years ago | (#33794216)

facial recognition software exists, therefore all you'd be doing with such a system is switching the arms race from optical character recognition to optical facial recognition.

Also you'd have a very culturally limited system as someone famous in the US may be completely unheard of in Germany, and vice versa.

Re:Why not... (1)

KingAlanI (1270538) | more than 3 years ago | (#33797694)

I did indeed get caught up by some region-specific trivia on a European webgame's text CAPTCHA, so I have personal experience with the3 concept you're getting at. :)

yeah, the list of famous people that are famous worldwide would be small, limiting worldwide use of such a system for those reasons, and even if they're "on the grid" [as opposed to someone living out in the sticks or something], they might not have heard of particular people.

Re:Why not... (-1, Troll)

edremy (36408) | more than 3 years ago | (#33794232)

But not Socialust Muslin Traitor Kenyan?

Wher Birth Certificat?!?

Re:Why not... (0)

Anonymous Coward | more than 3 years ago | (#33794916)

I was going to make some snarky-ass comment about whether the captcha would pass or fail if you include his middle name. But modding parent troll? Seriously? This guy is clearly kidding.. (Hint: If he wasn't, would he have posted in LOLcat?)

Posting anonymously for semi-obvious reasons.

Re:Why not... (1)

firewrought (36952) | more than 3 years ago | (#33794338)

Why not... show an image of someone famous, then ask who that person is.

Collecting the pictures for this would be pretty expensive. You've got to figure out licensing, tagging (including acceptable synonyms in several target languages), down-sampling, storage, accessibility, etc. The attacker only has to figure some (imperfect) tagging, and they can use well-researched ideas (facial recognition) to help with this. Moreover, the larger and more valuable target you are, the more images you must find. Would 10,000 images cut it for Yahoo! or Microsoft? Certainly not... they would need millions (even billions) of images with unique responses. By contrast, an 8-character alphanumeric captcha has 2.8 trillion possible responses without any per-response overhead.

Re:Why not... (1)

natehoy (1608657) | more than 3 years ago | (#33794376)

It might work, except that someone who is famous to one person is unknown to another. Were you to put up a picture of Barack Obama or Joe Biden, I could identify either one easily. The same could not be said of all world leaders, however. I read pretty regularly about events involving David Cameron, Christian Wulff, and Nikolas Sarkozy, but I'm not sure if I could accurately identify a photo of any of them given no other context.

Lady Gaga? Show me a picture of her without any context, and I'd have to start guessing or searching names at random until I got a match. The same could be said of many very popular entertainers (singers, actors, etc). I suspect I'm the precise opposite of most Internet users in that regard, though. I know a number of actors by sight, but remember few of their names. Unless I could type their character names on the shows/movies they've appeared in, I'd probably be lost. And if I've got to spend a few minutes on IMDB looking people up, there's a damned good chance I'm not THAT interested in your site.

Picture-based captcha is really effective at filtering out bots. The problem with using a captcha that includes pictures is that you need to be pretty confident you know your intended audience knows what the pictures are of.

The beauty of current captchas is that you don't need specific knowledge to use them. I don't need to speak English or have specific knowledge of American movie stars to pass a letter-based captcha. If I can identify each letter successfully, I can retype it.

It's not a knowledge or skills test, it's a captcha.

Re:Why not... (1)

Midnight's Shadow (1517137) | more than 3 years ago | (#33794728)

That is a strong point about why using a famous person should not be used but what about something simpler. I propose something like this:
5 images of random people are selected from a data base where the images are tagged about the person's appearance (i.e. hair color, sex, facial hair, eye color, etc).
A random question is asked about those five images (i.e.- how many have facial hair? How many have blue eyes? How many are women?)
If answer matches with the tags from the 5 random images you have a success other wise you have a failure.

I realize that this system isn't perfect either and could be beat with image recognition software coupled with parsing software. It does have the advantage of easy identification by humans but the task for the computer is much harder. It doesn't require knowledge of the people in the images only being able to identify aspects of the people. It could also be made harder by asking a compound question (how many of the woman are wearing blue shirts?).

Re:Why not... (1)

natehoy (1608657) | more than 3 years ago | (#33795000)

Better, but still problematic for another reason.

Captcha requires lots of possibly incorrect responses. An answer with a minimum value of 0 and a maximum value of 4 (for example) means there are 5 possible responses. 0,1,2,3,4.

That gives a bot a 20% chance of being correct, which is unacceptably easy.

You've also made the captcha solution language-specific. And if you use colors, color-blindness may be an issue for you now as well.

Don't get me wrong, I can see some applications of picture-based captcha, but I don't see them as terribly more effective than the current "wavy gravy" text you have to dutifully reproduce letter-by-letter.

Re:Why not... (1)

Midnight's Shadow (1517137) | more than 3 years ago | (#33795364)

Good points so lets address them. Your calculation is a bit flawed for a simple question you have 6 possible answers - 0,1,2,3,4,5. So the bot has a 1/6 chance of correctly guessing, which is still unacceptably easy. So add a second or third question raising the possibilities up to 1/36 and 1/216 respectively. Or add more images to raise the base number up from 6 to 11 or maybe 21. Suddenly you get from 1/6 odds up to 1/9261 (20 images 3 questions). The color issue would be problematic and the only way I can see of getting around it are to avoid those questions. The answer doesn't have to be language specific since we have numeric keys however the questions would have to be in a language that the human can understand. I don't see a way around this.

The point of this thought experiment is to see if it is possible to come up with a better way of distinguishing between human and bot that isn't arduous to the human. It may not be possible but considering the combined brain power associated with this site, I doubt it.

Re:Why not... (1)

rjstanford (69735) | more than 3 years ago | (#33796638)

The trouble is that you've made it hard enough (by definition) that a human is needed to lovingly hand-craft each one as well. After all, if the computer could put them together from an image database, it could solve them the same way.

tl;ds

Too long; doesn't scale.

Good study, would have preferred a more diverse (1)

Mattpw (1777544) | more than 3 years ago | (#33794480)

Interesting study however needed a more diverse range of sample testers all of which were early twenties volunteer university graduates. I only bring this up because I see a very different responses to CAPTCHAS. The response and attitude towards CAPTCHAS from young university people hanging around the IT labs where this was most likely advertised will be far far different to the average online citizen. . Im not sure how accurate this is but out in the non IT section of society CAPTCHAS are loathed and hated beyond belief, also the failure rates sound spectacular. Full credit for the new variations on the old warped text captchas but I hazard a guess that those bizarre mental challenges are not going to fly with your average joe. In fact its amazing that captchas have entered mainstream at all. Im sure the study was limited with money and time but I look forward to a more mainstream diverse study.

Re:Good study, would have preferred a more diverse (1)

Bigjeff5 (1143585) | more than 3 years ago | (#33794872)

Design your own study then. Sounds like you know just what needs to be done.

My favorite one is this (1)

ameline (771895) | more than 3 years ago | (#33794748)

http://lib.mipt.ru/?spage=reg_user [lib.mipt.ru] From the Moscow institute of physics and technology. Described as a "little school-level problem" :-) Be prepared to dust off your knowledge of Kirchoff's law (http://en.wikipedia.org/wiki/Kirchhoff%27s_circuit_laws) and ohms law, and to solve a system of equations that boils down to a 6x6 matrix.

Why...? (0)

Anonymous Coward | more than 3 years ago | (#33794770)

Why is there so much use of captchas anyway? I can see it if if maybe you were running to run a secure site, or were trying to limit access to speakers of a certain language. But why for instance does /. use captchas to post a comment? Are you afraid that some advanced AI is going to post a comment, or that you are going to be spamed?
I mean...terming...geeze.

Human resources are cheaper (2, Insightful)

Arty2 (1742112) | more than 3 years ago | (#33794772)

Seriously, what use of are captchas anymore when they pay actual humans to do the dirty work? I got like hundreds of fake users with IPs from India and China in my forums, that sign up just for putting a CEO tailored message and URL in their signature.

I dread Craptcha (2, Informative)

GarryFre (886347) | more than 3 years ago | (#33794910)

Have you ever ran into Captcha that claims your response is wrong when its obvious that is is NOT wrong and tried the audio stuff? The audio version is so retarded its disgusting. It usually features two guys with grossly distorted voices uttering what sounds like 14 words of gibberish in some short conversation at the breakneck speed of an auctioneer or bugs bunny on Helium. Not a single word can be understood, and then it asks for the two words in the sentences. The worst I had ever seen of this kind of foolishness was Dev Shack. It sounds like a great site for programming resources but I can never join because I can't get past their defective Captcha. I can't even tell them its broken because the Captcha prevents any such messages from getting through. This is what I call "Craptcha" and this is no Fraudian slop. I used to run into a few like this, but not lately, but when I do, I still get that sick sinking feeling.

Re:I dread Craptcha (1)

GarryFre (886347) | more than 3 years ago | (#33794950)

I even took screen shots. On second thought I could do a whois on the url and email their listed email address.

A new captcha idea. (1)

Maxo-Texas (864189) | more than 3 years ago | (#33795440)

Once the captcha is defeated, a human being sends a simple question to the account to validate it.

"Was Jennifer Aniston in "Friends""
"Is Kentucky a country?"
"Is the Euro a kind of duck?"

Re:A new captcha idea. (1)

andrewd18 (989408) | more than 3 years ago | (#33796952)

Except those can be solved brute-force with a simple "yes" or "no"... you're guaranteed to be right half the time. You'd need questions with more ambiguous or context-sensitive answers like:

If train A leaves Chicago traveling 100MPH and train B leaves New York traveling 150MPH and the distance between the two cites is 600 miles how far from New York will it be when the two trains meet?

And you thought word problems would never be useful!

Re:A new captcha idea. (1)

Maxo-Texas (864189) | more than 3 years ago | (#33797670)

Who was one of the female stars of friends?

What was the Dow yesterday?

Please respond and say that you are a banana.

I started this on a local personals site about 7 months ago and I'm seeing it everywhere now. I think it was invented in multiple places. It makes personals spam almost useless regardless of how real it seems.

Re:A new captcha idea. (1)

KingAlanI (1270538) | more than 3 years ago | (#33797980)

The New York train has 3/5th of the total speed, so they'll be 3/5ths of the way, i.e. 360 miles.
Never knew those problems were that easy ... that'd still be beyond most people, though, I'm afraid.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...