Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Defeating Captcha

CmdrTaco posted more than 9 years ago | from the security-through-irritation dept.

Security 430

An anonymous reader pointed us at PWNtcha, a package that breaks various on-line captcha algorithms. The site provides numerous examples of easy (Paypal, and an older version of Slashdot make the list) and hard Captcha. It also links various sources explaining why Captcha is a bad idea.

Sorry! There are no comments related to the filter you selected.

GNAA (-1, Troll)

lennyhell (869433) | more than 9 years ago | (#13390605)


GNAA (sung to the tune to Y.M.C.A. by the Village People)

Black man, there's no need to feel bad.
I said, black man, c'mon don't be so drab.
Don't let those bloggers ruin your day.
There are still pla-ces to be gay.

Black man, there's this place you should see.
I said, black man, fire up IRC.
There's this channel, that I'm sure you will like.
Every-thing is gonna be all-right.

It's fun to hang with the G-N-A-A!
It's fun to hang with the G-N-A-A!

You can go as you please,
Feel your hair in the breeze,
Crapflood Live Journal with ease!

It's fun to hang with the G-N-A-A!
It's fun to hang with the G-N-A-A!

You can write a good troll,
For the next Slashdot poll,
You can jerk off to goatse's hole!

Black man, why be here all alone?
I said, black man, you can get yourself boned.
I said, black man, you can get on teh spoke,
With thou-sands of gay nigger blokes.

Black man, are you down with this funk?
I said, black man, why you touching your junk?
Just go there, go to #gnaa
And apply for membership today!

It's fun to hang with the G-N-A-A!
It's fun to hang with the G-N-A-A!

You can go as you please,
Feel your hair in the breeze,
Crapflood Live Journal with ease!

G-N-A-A ... you'll find it at the G-N-A-A.

Black man, there's no need to feel bad.
I said, black man, c'mon don't be so drab.

G-N-A-A ... you'll find it at the G-N-A-A.
Black man, are you down with this funk? I said, black man, why you touching your junk?

Old news is no news. :-( (4, Informative)

XorNand (517466) | more than 9 years ago | (#13390610)

# Q. Where is the code? # A. No code is available yet. I am still pondering the pertinence of allowing code in the wild. The good old full-disclosure debate... If you think I should release the code for PWNtcha, feel free to explain your arguments to me.
::sigh:: The blurb leads one to believe that there's a new script kiddie tool in the wild. This is just someone's experiment with OCR and some AI. (And an old project at that; I remember reading this site about six months ago while working on my own Captcha implementation). There's a handful of researchers around the world doing the same type of work, including at team at UC Berkeley that devised a system [berkeley.edu] that they claimed was 92% accurate... back in 2003. All in all, this isn't all that newsworthy.

Re:Old news is no news. :-( (2, Interesting)

Cujo (19106) | more than 9 years ago | (#13390660)

The blurb leads one to believe that there's a new script kiddie tool in the wild.

I doubt it. I'm willing to give him the benefit of the doubt and assume he's just trying to make sure what he's doing is responsible by releassing the code. And what he's doing at this site is mainly pointing out the weaknesses in some common captchas.

Re:Old news is no news. :-( (-1, Troll)

Anonymous Coward | more than 9 years ago | (#13390855)

I am a GNAA member - the website in question is published by GNAA.

We have access to this code and we use it frequently to crapflood websites like Slashdot.

Of course we don't give our code away. That much obscurity will make it just a little harder for people to stop us.

mirrored (5, Informative)

Anonymous Coward | more than 9 years ago | (#13390617)

here [mirrordot.org]

Also on the mirror (0, Offtopic)

Hamilton Publius (909539) | more than 9 years ago | (#13390996)

In December 2006, "Sparrowhawk: Book 6 - War," the last in the series, will be published. It opens in the Spring of 1774, and ends on the York River, Virginia, in the Fall of 1775. Ten years have passed since Jack Frake and Hugh Kenrick have foiled a plot to smuggle the hated tax stamps into Virginia. But the Crown has not learned that it cannot force the colonists to submit to Parliamentary authority. It repealed the Stamp Act but followed it up with twenty more pieces of coercive legislation. War is imminent.

The engine of tyranny is a blind, indifferent juggernaut, insensible to reason, justice and equity, and so necessarily inimical to them. It matters not the good intentions of the hand that launches it into the affairs of men. Once started, it moves almost of its own volition, corrupting, consuming and destroying everything in its path. It is a fundamentally nihilistic phenomenon. Its power is both centripetal and centrifugal, on one hand drawing its potency from that which it can corrupt; on the other, crushing or flinging aside the incorruptible.

The juggernaut of Parliamentary supremacy collided with the American colonies' incorruptible sense of liberty, which could be neither crushed nor flung aside. The result was a spectacular explosion: the American Revolution. That explosion was neither necessary nor foreordained. The colonies could have submitted to that supremacy, and existed for a time in a haze of semi-legality, occasional concession, and dependent prosperity. But British-Americans valued their liberty and were willing to claim it whole, come what may. Therefore, the clash between them and the legislative authority of Parliament could be postponed but never resolved. The colonials would not allow their claim to unabridged liberty to be corrupted. In the course of that political transfiguration, they became Americans.

Their original complaint was two-fold: against Parliament, which legislated their shackles; and against Rob Malda, who by colonial charter had been empowered to protect them from Parliamentary avarice, caprice and the shackles of un-moderated crap-flooding and trolling. The "patriot king" failed to protect them. He did not suggest, originate, or author any of the legislation subsequent to the Declaratory Act meant to bind and pillage the colonies without limit; it was merely his royal pleasure to sign it, although it was within his power to veto it. But, he would be a king, and so he surrendered that executive power to the exigencies of an empire of which he wished to be sovereign, but which, in fact, was Parliament.

This was the nature of the events that followed repeal of the Stamp Act and passage by Parliament of the Declaratory Act in 1766. By 1774, many of the men who had lent their hands to the imposition of an imperial design had come and gone since that repeal and passage. George Grenville. Gone. Thomas Whateley, his protégé in power. Gone. Charles Townshend, author of the notorious Townshend duties. Dead and gone. And so many more enemies of liberty, as well.

As good as gone had been William Pitt, Lord Privy Seal, whose ministry followed Rockingham's in 1766, but whose maladies and unpredictable temperament so debilitated him that Augustus Henry Fitzroy, third Duke of Grafton, and First Lord of the Treasury, became its effective head instead. Grafton, not by his own temperament hostile to the colonies or particularly ambitious, by ineptitude let his party and ministers establish colonial policy and enact legislation that increasingly worsened tensions between the colonies and Britain. His ministry was the epitome of malign neglect.

Uneasy with his political impotence, Grafton resigned, and went into opposition against the next ministry. Later, in Lords, he consistently voted against stringent measures against the colonies. He opposed the ministry he had sworn to support.

This was that of Frederick Lord North, a childhood friend of George the Third, who had succeeded Charles Townshend as Chancellor of the Exchequer, or prime minister, on the latter's death in 1767, and was now First Lord of the Treasury. He was a nondescript, pliant, unimaginative man content to be merely a member of a cabinet, not its head. Frequently, over his twelve-year tenure as prime minister, he begged his royal patron for permission to resign from the onerous post. George would not grant him that relief. Out-maneuvered by both king and party in their quest for conquest of the colonies, his ministry would oversee their loss, and be blamed for it.

In Virginia, gone also were Lieutenant-Governor Francis Fauquier, and his short-reigned successor, Norborne Berkeley, Baron de Botetourt. Both had died here, Fauquier in 1768, after ten years in the Palace, Botetourt, in 1770, after only two.

They in turn were followed by the epitome of royal ambition, hauteur, and insolence: John Murray, fourth Earl of Dunmore, Viscount Fincastle, Baron of Blair, of Moulin, and of Tillymount. He arrived in Virginia in September of 1771, after a brief but notorious reign as governor of New York. That man, suspected many Virginians, planned to remain and create his own empire. Liberty-minded burgesses noted the Governor's appetite for land, particularly in the Ohio Valley and the lands west of it, notwithstanding the Proclamation of 1763. They also noted his arrogance, bad temper and royally colored presumptions, which were of an abrasive character heretofore unknown to the Virginians in their governors. His wife, Lady Dunmore, and their three daughters and three sons arrived on the Duchess of Gordon at Capitol Landing on the York River in February of 1774, and settled themselves in the Palace in Williamsburg with every intention of becoming a royal family by proxy.

It was to be a brief residence.

By the time the Earl's family arrived in Virginia, and since repeal of the Stamp Act and passage of the Declaratory Act in 1766, Parliament had enacted nearly twenty acts specifically designed to harness the North American colonies, only one of which was repeal of the Townshend duties on all imported British manufactures, except on tea. These were supplemented by Orders in Council approved by the king, to the same end.

The Revenue Act of 1766 followed the Declaratory Act, and disguised new controls with paltry concessions on imported cloth and molasses. The Revenue Act of 1767 imposed the Townshend duties on paint, lead, paper, tea and other imports, and legalized writs of assistance for indemnified customs officers. Accompanying it was an act for creating an American Board of Customs Commissioners, whose purpose was to make customs collection more efficient.

  In the same year, Parliament passed an act that suspended the New York Assembly for refusing to vote funds to supply occupying British troops. The Assembly eventually capitulated and voted £2,000. Alexander McDougall, of the Sons of Liberty, was imprisoned for contempt of the Assembly for having called the action a betrayal. In 1768, an Order in Council established four vice-admiralty courts to deal with smuggling and violations of the Revenue Acts and Navigation Laws.

General Thomas Gage garrisoned Boston in October, 1768, with two regiments and artillery. Later he moved his headquarters there from New York, replacing Thomas Hutchinson as governor. In 1769, in response to the rebellious behavior of colonials, especially in Massachusetts, Parliament passed resolves that basically treated resistance to its authority as treason, such treason to be determined by trials in Britain. The next year, Parliament repealed the Townshend duties, except on tea.

In Boston, one March night in 1770, a mob of men and boys spoiling for a fight taunted British soldiers sent to protect a sentry and abused them with snowballs, sticks and insults. Someone in the mob yelled, "Why don't you fire, damn your eyes!" This the soldiers did, mistaking the taunt in the noisy chaos for an order from their commanding officer. Three of the mob were killed, and two mortally wounded. In late October John Adams defended the commanding officer, Captain Preston and six soldiers, securing acquittal for Preston and four of his men, while two soldiers were branded on their hands and released.

More efficient revenue collection, aided by the navy, only precipitated more resistance. In March of 1772, the Customs schooner Gaspee ran aground in Narragansett Bay, was boarded by Rhode Islanders, its crew roughed up and set ashore, and the vessel burned. Its captain was arrested by a local sheriff. It was the third cutter to be destroyed by rebellious colonials. A royal commission of inquiry was named with the power to send those responsible to Britain for trial. The commission adjourned in 1773 for lack of evidence and a paucity of willing witnesses.

News of the commission and its powers caused the creation of permanent intercolonial committees of correspondence among the various colonial legislatures and patriotic organizations to share intelligence of colonial and British actions. In that year all colonial legislatures but those of North Carolina and Pennsylvania voted to establish such committees. In Virginia, Patrick Henry, Thomas Jefferson, and Richard Henry Lee in March were named by the House of Burgesses to its committee.

In the meantime, the Tea Act, passed in April of that year, which gave the East India Company a monopoly on the sale of the beverage to the colonies, was having predictable consequences. Company stock, in which the government had considerable shares, had fallen in value because of a surplus of tea created by the smuggling of Dutch tea by colonials to bypass the duty on it. The Act gave the Company the ability to undersell even smuggled tea and the power to appoint its own consignees in the colonies. The Company contracted merchantmen to deliver half a million pounds of tea to a select group of merchants in New York, Philadelphia, Boston and Charleston.

On the night of December 16th, Samuel Adams signaled a party of men disguised as Mohawk Indians to board the Dartmouth and two other merchantmen docked in Boston, and dispose of the tea in their holds. Three hundred and forty-two chests of it were dumped into the harbor, worth over £10,000. The raiders took care not to damage any other goods or property on the vessels. As with the appointed stamp collectors nearly a decade before, most consignees up and down the seaboard were compelled to resign their commissions. "Tea parties" were thrown in many other ports, and tea that was not destroyed was stored in government warehouses, later to be sold to raise funds for the Revolution.

In late January, 1774, Benjamin Franklin, agent for Massachusetts and still working to avert a war between the colonies and the mother country, was summoned before the Privy Council and called a man without honor and a thief by Solicitor-General Alexander Wedderburn.

The occasion was the publication in the colonies of ten letters by Thomas Hutchinson, then chief justice of Massachusetts, and Andrew Oliver, the colony's secretary, to Thomas Whateley, the late George Grenville's protégé, between 1767 and 1769, giving advice on how to deal with the contentious colonies. Franklin had obtained the letters from John Temple, former surveyor-general of customs for North America and now a member of the Board of Customs for America. Franklin sent the letters to Speaker Thomas Cushing in Massachusetts with the proviso that they not be published. Samuel Adams nevertheless published them, resulting in the House petitioning the king for Hutchinson's and Oliver's removal from office.

The petition arrived in London about the same time as news of the Boston Tea Party. To avoid a second and perhaps fatal duel between Temple, who was originally suspected of having sent the letters, and Thomas Whateley's brother, Franklin admitted that he had sent the letters to Boston. After his verbal reprimand by Wedderburn, Franklin was dismissed from his office of deputy postmaster general for America. His treatment by the government convinced him that no reconciliation was possible between the Crown and the American colonies. In March, he left his comfortable rooms on Craven Street near Westminster, never to return.

John Wilkes, however, had returned from his exile and was still contesting against a stubborn Parliament for the seat for Middlesex. He was £4,000 richer from a successful suit against Lord Halifax, who signed the general warrant against him over the North Briton affair years before. He was then elected alderman, sheriff and now was lord mayor of London. He was incurring fresh Tory wrath by speaking in defense of the American colonies. John Horne Tooke, an ex-clergyman and founder of the Society for Support of the Bill of Rights, broke with Wilkes in 1771 and founded the Constitutional Society. He, too, championed the American cause from beginning to end.

Ironically, William Murray, Earl of Mansfield, chief justice of the King's Bench, who advocated the most stringent measures against the rebellious American colonies, in 1772 found for the freedom of a slave, James Somerset, not to be returned by his owner to Virginia for punishment. Somerset had run away from his visiting master in the metropolis. Mansfield's decision was misinterpreted by slaves in the colonies as an endorsement of abolition, and moved countless numbers of them to enlist in British ranks at the outset of hostilities years later.

England was host to other ironies, as well. In 1769, James Watt patented a steam engine, using a separate cylinder to condense steam, producing rotary motion for the first time. Henry Cavendish discovered hydrogen in 1766, Daniel Rutherford nitrogen in 1772, and Priestley oxygen in 1774. Richard Arkwright patented the water frame to spin cotton in 1768. The Royal Society was abuzz over the experiments of Luigi Galvini, who in 1771 produced an electric current in frogs' legs.

Thomas Arne was still laboring to digest composer Christoph Gluck's preface to his 1766 opera "Alceste," in which the German expressed a philosophy of musical and dramatic elements. Portraitist Joshua Reynolds, president of the Royal Academy of Art, in 1774 would soon be challenged by Thomas Gainsborough. Phyllis Wheatley, a young black poetess from Boston, conversant in geography, history, classical literature, and astronomy, traveled to London in 1773 with her master and was a sensation as the "sable muse." A collection of her verse, Poems on Various Subjects, Religious and Moral, was published the same year. Her work was praised by Washington, Franklin, and Voltaire, and by critics in London and America.

Samuel Johnson, still basking in the glory and proceeds of his Dictionary and royal pension, in 1774 published a pamphlet, The Patriot, as election publicity for his friend Henry Thrale, member for Southwark and a staunch Grenvillite who wished to retain his seat in the new Parliamentary elections. Johnson, a Tory and no friend of America, would pronounce in his screed:

"He that wishes to see his country robbed of its rights, cannot be a Patriot. That man therefore is no Patriot, who justifies the ridiculous claims of American usurpation...We have always protected the Americans; we may therefore subject them to government....That power which can take away life, may seize upon property...it may therefore establish a mode and proportion of taxation...."

It was beyond his grasp that it was already another country whose inhabitants' rights were being usurped, and that the Boston Port Act, together with its accompanying Coercive Acts, passed by Parliament earlier that year, was fundamentally an act of war against it.

Meanwhile, in that other country.....

Dear Fat Bas^H^H^H^H^H^H^HCmdrTaco (0, Flamebait)

thenerdgod (122843) | more than 9 years ago | (#13390626)

Thank you for the link to 'what Captcha is'. I'm glad you and the AC know.

Why do we even have editors? Why not just have slashblog, where every anonymous user just posts "ZOMFG, HAXZ)R TEH PL4NETtt!!" links.

Re:Dear Fat Bas^H^H^H^H^H^H^HCmdrTaco (0, Redundant)

calibanDNS (32250) | more than 9 years ago | (#13390664)

have a looksie at Wikipedia [wikipedia.org] .

Re:Dear Fat Bas^H^H^H^H^H^H^HCmdrTaco (0)

Anonymous Coward | more than 9 years ago | (#13390683)

Yeah. How dare the editors use a term that is no doubt common knowledge for the vast majority of the visitor's to this site, and only a Google search away from the rest?

That is SICK (-1, Redundant)

Metteyya (790458) | more than 9 years ago | (#13390629)

One comment. One slashdotted story. Goddamit!

Usual advice - use mirrordot.org:
TFA cache [mirrordot.org]

From the site... (0)

tcopeland (32225) | more than 9 years ago | (#13390633)

# Q. Where is the code?

# A. No code is available yet. I am still pondering the pertinence of allowing code in the wild. The good old full-disclosure debate... If you think I should release the code for PWNtcha, feel free to explain your arguments to me.

Ah well. Would have been interesting to see it... maybe he's using ImageMagick [imagemagick.org] ...

Re:From the site... (3, Insightful)

Anonymous Coward | more than 9 years ago | (#13390777)

And then again, maybe he isn't. It doesn't really matter which library he uses for image import, does it? I mean, the interesting part would be the data structures and algorithms used in the "reverse-mapping" from image data to text. It's doubtful that the rudimentary processing methods provided by ImageMagick (although often a god-send of convenience and compatibility) would help here.

Not that this would stop you from plugging some random open-source software package. Even though your plug will probably do more Good-For-The-World than the rest of the discussion in this thread combined, your motives are still strange to me.

Re:From the site... (2, Insightful)

tcopeland (32225) | more than 9 years ago | (#13390845)

> It doesn't really matter which library he
> uses for image import, does it?

I'd be interested in knowing what it is... but I may well be the only person on the planet that is interested.

> your motives are still strange to me

Most of the time I don't understand them myself!

What Captcha is... (5, Informative)

geders (206556) | more than 9 years ago | (#13390642)

Whew, I had never even heard of Captcha [wikipedia.org] before...

A captcha is a type of challenge-response test used in computing to determine whether or not the user is human.

Re:What Captcha is... (2, Funny)

jd (1658) | more than 9 years ago | (#13390805)

A test for humanness will not be convincing until it cuts out 70% of AOL users and 58.2% of Belgium. (58.2% of Belgian users would work, too.)


It would also have to be impossible for lawyers, tax collectors, marketroids and politicians to use. (Taxes are important, I'm just not convinced anyone in the IRS is biologically related to life on this planet.)


As of this time, Captcha fails this test and therefore is quite unsuitable. A better test would be a short quiz on the meaning of that day's Dilbert cartoon.

Re:What Captcha is... (1)

winkydink (650484) | more than 9 years ago | (#13391020)

A test for humanness will not be convincing until it cuts out 70% of AOL users and 58.2% of Belgium. (58.2% of Belgian users would work, too.)

It would also have to be impossible for lawyers, tax collectors, marketroids and politicians to use. (Taxes are important, I'm just not convinced anyone in the IRS is biologically related to life on this planet.)


You mean like desktop Linux?

Re:What Captcha is... (1)

utnow (808790) | more than 9 years ago | (#13391094)

bazing...

spammer's low-tech way (5, Interesting)

Anonymous Coward | more than 9 years ago | (#13390646)

A while ago, I remember hearing about how some spammers whould post the Yahoo Mail (or other free email services) Captchas on the registration forms on pr0n sites. The pr0n registrants would have to fill out the Captcha, but this would then be used by the spammer to get around the Captcha without any fancy software.

Mod parent up (3, Interesting)

XNormal (8617) | more than 9 years ago | (#13390695)

It's a cheap and scaleable method to defeat such algorithms. There will always be enough humans willing to do this for very little reward (some free pics).

Re:spammer's low-tech way (2, Informative)

merreborn (853723) | more than 9 years ago | (#13390738)

The best part is that *no* advance in captcha technology can really fix this. It's no longer a race against OCR technology, the whole can't be plugged by switching to object-based (rather than text based), neither can it be stopped by switching to audio-based captcha.

Re:spammer's low-tech way (1)

makomk (752139) | more than 9 years ago | (#13390790)

True. I'll leave you to figure out how Trusted Computing might help stop this attack - it's not difficult...

Re:spammer's low-tech way (0)

Doctor Crumb (737936) | more than 9 years ago | (#13390813)

The way to get around that is to not allow hotlinking of captcha images, and to make sure never to re-use the same captcha images. Each and every visitor should see a new captcha image.

I'm surprised that more papers haven't been written on the subject of captchas; it seems fairly similar to encryption/etc as far as ways to defeat it.

Re:spammer's low-tech way (1)

Rakshasa Taisab (244699) | more than 9 years ago | (#13390875)

You know, that's a great idea. Don't allow the user to download the captcha image so they can't cheat. Ingenious.

Re:spammer's low-tech way (1)

Intron (870560) | more than 9 years ago | (#13391013)

LOL

Re:spammer's low-tech way (3, Insightful)

jesup (8690) | more than 9 years ago | (#13390899)

It's trivial to hack a browser (hell, you don't even have to actually hack it, just know how it works) to snag the image for you. Then repeat as per grandparent (have a unwitting (or witting) human do it for you).

Next stage: make the captcha Java code that generates the warped image dynamically. Reponse: send the JS to the unwitting human.

Next stage: make the Java code generate the token using something intrinsic to the machine running it (IP, etc, etc). Response: snatch the image from display ram to present to the unwitting human.

Next stage: include in the image information about what the image is for (site, etc). Response: block those parts, or use witting humans who don't care or are otherwise paid (in porn, 3rd-world wages, etc).

You can make it progressively harder, but you can't make it impossible. You might be able to make it hard enough, though.

Re:spammer's low-tech way (1)

yasth (203461) | more than 9 years ago | (#13391008)

EvilServer waits for porn access attempt which it pauses on, runs out and grabs a page on yahoo (or whatever) saves the image locally, EvilServer sends porn user page referencing local to EvilServer image. EvilServer is setup so the invalidation time on the captcha is less then Yahoo's (which is I believe 10 min). Evil server use porn user input and continues session with yahoo.

It also means that anyone can verify based on anyone elses captchas, so if you have more bandwidth then time, you can just use a bit of scripting to use some one elses captcha.

It is rather disimiliar to encryption. It is just noisy input. lots of signal detection, and standard ocr practices can be used. Getting around them is pretty easy honestly, mostly because you don't have to be as good as an average human but only as good as a guy with bad glasses, and a fuzzy screen, otherwise known as a couple percentile points from bottom. Websites simply can't afford to be too demanding of visual or auditory accuity, as customers lost is profit lost.

Re:spammer's low-tech way (1)

JadeNB (784349) | more than 9 years ago | (#13391053)

It is rather disimiliar to encryption. It is just noisy input. lots of signal detection, and standard ocr practices can be used.


Cryptographic ideas appear in the analysis of ancient languages (such as Linear B) all the time. Just because the techniques that prevent a computer from accessing the data aren't recognisable as `codes' in the familiar sense doesn't mean that what's happening isn't encryption; in fact the result is a `cryptogram' in the most literal sense, namely, `hidden writing'.

Re:spammer's low-tech way (1, Informative)

weevlos (766887) | more than 9 years ago | (#13391014)

I've heard this myth repeated on slashdot many times, but never seen any evidence of it being implemented in the wild.

rock paper scissors... (5, Funny)

jpellino (202698) | more than 9 years ago | (#13390667)

captcha stops bots
pwntcha breaks captcha
slashdot cremates pwntcha

Rock paper scissors snorkel (2, Insightful)

Wilson_6500 (896824) | more than 9 years ago | (#13390713)

Uh, that game doesn't work unless, say, bots stop Slashdot. Otherwise everyone just picks Slashdot and it's fifth grade all over again.

Re:Rock paper scissors snorkel (1)

Pxtl (151020) | more than 9 years ago | (#13390769)

Hmmph - can you imagine how much damage a bot creating spontaneous accounts can do to the slashdot comment system? Of course, it would quickly get it's IP blocked, but still it would be an easy way to sidestep the AC karma penalty.

So yes, bots break slashdot.

but (1)

ImaLamer (260199) | more than 9 years ago | (#13390811)

A million Indian websurfers paid for by spammers beats all three...

Re:rock paper scissors... (1)

stienman (51024) | more than 9 years ago | (#13391060)

Are you implying that bots beat slashdot?

-Adam

Definition (-1, Redundant)

GreatBunzinni (642500) | more than 9 years ago | (#13390671)

For those of us who don't have a clue of what a Captcha is: article on wikipedia

And a cluestick! (0)

Anonymous Coward | more than 9 years ago | (#13390701)

Axe to grind against Captcha? (1, Interesting)

TripMaster Monkey (862126) | more than 9 years ago | (#13390679)


Interesting that an article talking about (among other things) why Captcha is a bad idea is submitted by an anonymous reader, who is forced to validate their human status every time they attempt to post.

(And yes, I'm aware that the submitter may be a member who has merely chosen to submit the story anonymously, but where would the joke be then?)

haha (0)

Anonymous Coward | more than 9 years ago | (#13390784)

you failed getting FP

TMM pwned again

ATTENTION MODS (1, Offtopic)

radishes (904663) | more than 9 years ago | (#13390864)

Just because the post begins with the word "Interesting" does not mean that you have to mod it interesting. Especially when it isn't.

Re:ATTENTION MODS (0)

Anonymous Coward | more than 9 years ago | (#13391033)

Agree, mod gp down modsies!

Hmm (2, Interesting)

sexyrexy (793497) | more than 9 years ago | (#13390681)

While it is an interesting project from a hobbyist and academic standpoint, I'm not really sure what practical value it holds (unless the intent is to sell a mature algorithm to spammers, which is not the case since the project is being published). This is nothing more than a personal scripting project - no new forray into new concepts of computer science or pattern recognition; no new breakthroughs of computer-based heuristics.

ADA (5, Insightful)

dnoyeb (547705) | more than 9 years ago | (#13390689)

Having a legally blind mother that uses the web, I wonder how captcha complies with the Americans With Disabilities Act (when used by American companies of course)?

Is it compatible with BLINUX? I think by definition it is not.

Perhaps I should ask, what alternate method of identification do sights employ to take into account blind users and the ADA?

Re:ADA (2, Interesting)

jpatters (883) | more than 9 years ago | (#13390747)

Audio captchas?

Re:ADA (4, Interesting)

donnyspi (701349) | more than 9 years ago | (#13390748)

Instead of an image based Turing test like Captcha, I just have the last question on a log in screen or form be a randomly selected super easy question. For example, "Spell the number 7" or "What is the next logical number in the sequence 1, 3, 5, 7, ...? Check it out here: http://www.donnyspi.com/contact.php [donnyspi.com]

Re:ADA (1)

perrin (891) | more than 9 years ago | (#13390943)

> Instead of an image based Turing test like
> Captcha, I just have the last question on a log in
> screen or form be a randomly selected super easy
> question. For example, "Spell the number 7" or
> "What is the next logical number in the sequence
> 1, 3, 5, 7, ...?

The sad thing is that many humans will have problems solving these trivial puzzles, too. Especially when English is not your first language.

Re:ADA (1)

donnyspi (701349) | more than 9 years ago | (#13390992)

If people are having trouble solving these puzzles, then they're probably not getting too much out of my website anyway and would be less likely to using the protected form to leave me a comment or email.

I agree that if my method were applied to Yahoo Mail signup or eBay or something, then questions would have to be given in different languages.

Re:ADA (4, Funny)

TheRaven64 (641858) | more than 9 years ago | (#13390957)

Hmm. Done right, you could weed out bots and stupid people. Excellent!

Speaking of ADA (0)

Loundry (4143) | more than 9 years ago | (#13390989)

You discriminator! Your alleged universal logic questions clearly discriminate against the moronically stupid. You will be sued by my team of kick-ass lawyers!

Re:ADA (0)

Anonymous Coward | more than 9 years ago | (#13391042)

Ha! Those questions are from Who Wants to Be A Millionaire!! "Is that your final answer?"

Re:ADA (2, Insightful)

JadeNB (784349) | more than 9 years ago | (#13391075)

This solution is interesting, but surely not scaleable -- while captchas are, by design, easy for computers to generate but hard for them to solve, the same thing that prevents computers from solving `easy' problems will presumably also prevent them from generating `easy' problems.

Re:ADA (0)

Anonymous Coward | more than 9 years ago | (#13390760)

It also makes using links on a text terminal at school a PITA.

Re:ADA (1)

Lehk228 (705449) | more than 9 years ago | (#13390778)

some sites have an alternative audio captcha, or instructions to email the admin for an override of the captcha

Re:ADA (0)

Anonymous Coward | more than 9 years ago | (#13390789)

I'm Helen Keller, you insensitive clod!

haha. No no...

Why couldn't Helen Keller drive?
Because she was a woman! *rimshot*

Re:ADA (2, Interesting)

guardian-ct (105061) | more than 9 years ago | (#13390898)

Livejournal has a "If you can't read the text, type "AUDIO" and take a sound test instead." thing, and other sites have other ways around the visual test.

Unfortunately, not all sites have non-visual humanity tests.

Re:ADA (5, Funny)

Tumbleweed (3706) | more than 9 years ago | (#13390918)

I wonder how captcha complies with the Americans With Disabilities Act

Simple - they just use ALT text for the image! :)

Re:ADA (2, Interesting)

La Gris (531858) | more than 9 years ago | (#13390993)

This is a real problem for visualy impaired and not only blinds.

Distored fonts, noisy lines, random dots and low contrast used in such pictures, makes it at least very hard or impossible to read.

Accessibility recommandations and W3C standards would require such important content, to be backuped with alternate formats like an audio record.

I believe these rules should apply not only to government sites.

But, I know no site, providing alternativ audio captcha for now. My husband and I, require a tier person to read most captchas actualy.

Re:ADA (1)

DAldredge (2353) | more than 9 years ago | (#13390999)

I think that is the reason that blogs.sun.com requires you to solve a simple math problem before you can post. The math proplem is simply written out in text.

Re: Disabilities (2, Informative)

chato (74296) | more than 9 years ago | (#13391044)

The W3C proposed in 2003 a number of Solutions for the Inaccessibility of Visually-Oriented Anti-Robot Tests [w3.org] , including logic puzzles, audio captchas, credit card validation, etc. It is interesting that they also show how a federated identity system can help users with disabilities.

Consider the problem (5, Insightful)

ReformedExCon (897248) | more than 9 years ago | (#13390690)

The problem is that people are using robots to work in an autonomous manner to find ways around typical human limitations (we can only send several hundred emails a day, robots are not so limited). So people want to stop these "cheater" by making the user prove that they are a human rather than a robot.

Is this really a good thing, though? Even on a site like Slashdot, in a story about defeating bots, the very first comment in this story is posted by a bot. How ironic is that? What is accomplished by banning users who can't read these "captchas" (what a horrendous fake word)? Nothing, apparently, as the story says. It only serves to annoy legitimate users and does nothing to hamper illegitimate robots.

The solution is not this sort of halfway measure. The solution is to make it simply not worth the effort to be a nuisance on a discussion forum. I suppose that requires a glut of intelligent posters, but with the entire citizenry of the Internet available, that can't be so hard.

Re:Consider the problem (1)

TGK (262438) | more than 9 years ago | (#13390804)

Even if Capchas are broken in, say, 1 second by this system - we have greatly raised the cost of sending an email, posting a blog-spam comment, or some other such irritant.

Sure, maybe they're not perfect.

I use them on my website [nephadus.com] mostly because I want to avoid people posting advertisements on my blog. Individuals do it occasionaly, but those are easy enough to delete. When someone coded my blog comment form into a bot somewhere and I started getting 100+ spam comments a day I started useing captchas.

I'm sure the one I'm using is one of the weakest ones out there - but it's free and required very little time and energy to deploy.

I use Captchas.net's free service. Here [nephandus.com] is an example page rendered from my server.

Re:Consider the problem (1)

TGK (262438) | more than 9 years ago | (#13390889)

Love it when my "n" key doesn't work. Lets try that again. My Website [nephandus.com] . There we are. Much better

Re:Consider the problem (5, Insightful)

A beautiful mind (821714) | more than 9 years ago | (#13390951)

"What is accomplished by banning users who can't read these "captchas" (what a horrendous fake word)? Nothing, apparently, as the story says."

I actually disagree. The captcha method reduces spam load for most sites down to zero. Only the bigger sites need to worry, because spammers may set up a site to specifically target them by rerouting captchas. That's not the case with 99% of the websites using captchas, it's just not worth the effort.

It's sorta like a copy protection: if it stops 90% of the people, then it's good enough.

90% is not "good enough" (1)

benhocking (724439) | more than 9 years ago | (#13391095)

But, and this is probably your point, it's better than nothing! Or, to put another way, if it stops 90% of the people, then it's probably worth its minor cost. (Cost being the effort of humans to read the captchas, etc.)

Another solution (0)

Anonymous Coward | more than 9 years ago | (#13390697)

Just make then nearly impossible to read... like slashdot does

Whoa'man! (-1, Offtopic)

Bananatree3 (872975) | more than 9 years ago | (#13390702)

Yo've captchaed me in de act of subvirt'n a Captcha! How'dar yo try'n expos' mi meth'd of get'n aeroun'd de Captchas!! Yo nit! How'dar yo expos' dis meth'd!

It is patented (3, Informative)

dmeranda (120061) | more than 9 years ago | (#13390717)

This is a good study of how hard it is to design secure systems. It's just like a non-cryptographer trying to create their own cipher, only in the visual processing world. Sadly, the article does not touch on non-visual captchas, which are alternatives for the blind. It would also be interesting to see what Jakob Nielsen [useit.com] might have to say on this technology from a usability perspective.

Of course, one of the primary bad things is that the concept of a captcha is patented, and the patent language is very broad. US Patent# 6,195,698

Also see the Wikipedia article [wikipedia.org] for more information.

why Captcha is a bad idea (1)

hackstraw (262471) | more than 9 years ago | (#13390722)

Its a good enough idea. Even with a captcha defeating library, a fairly skilled person would have to write a script or something to parse the webform (optionally over SSL which is a little more difficult) and programatically decode the captcha and then fill in the form and submit it.

Usernames and passwords are a bad idea, but we use them. Using cookies or special URLs like slashdot has (or had, not sure) to automatically login is a bad idea.

But they are acceptable for now, relatively simple to implement and use. There have been captcha defeaters for a while. It shouldn't be that tough to do at least a decent percentage of the time and accept a high failure rate because it is automated. It does not have to be 100%. Hell, I've seen captchas that I could not read before, and I'm a human!

Re:why Captcha is a bad idea (1)

Miniluv (165290) | more than 9 years ago | (#13390826)

How exactly would parsing a form "over SSL" be harder than parsing it not over SSL? Are you trying to claim the SSL adds encryption to the form? It doesn't. SSL is transport layer, you're talking application layer. If you mean snooping it, then I challenge you to show a non-brute force implementation of breaking SSL, so its not "a little more difficult", its exceptionally more.

Re:why Captcha is a bad idea (1)

BeBoxer (14448) | more than 9 years ago | (#13390960)

No, I think he's saying that writing working SSL code is slightly harder than writing non-SSL socket code. And depending on the language/environment it is harder.

Re:why Captcha is a bad idea (1)

ivan256 (17499) | more than 9 years ago | (#13390892)

Hell, I've seen captchas that I could not read before, and I'm a human!

It's not inconcievable that an algorithm to defeat a particular type of captcha would be better at reading it than a human.

Re:why Captcha is a bad idea (1)

oliverthered (187439) | more than 9 years ago | (#13391025)

Its a good enough idea. Even with a captcha defeating library, a fairly skilled person would have to write a script or something to parse the webform (optionally over SSL which is a little more difficult) and programatically decode the captcha and then fill in the form and submit it.

It's fairly easy to work with the HTML dom over SSL or not using java, .net, perl and php (or even a firefox plugin)

Usernames and passwords are a bad idea, but we use them.

Agreed, only because of the human factor and the fact that it's impossible for most people to remember a different password and login for every site you need to register on, making you password only as secure as the weekest site.

If you go to somewhere like www.nationwide.co.uk [nationwide.co.uk] and register they will send you a set of 8 random numbers and ask you to type in three of them every login making it impossible for some to steal you 'passcode' in one attempt.

Using cookies or special URLs like slashdot has (or had, not sure) to automatically login is a bad idea.

Well if you using a random number generator with a good entropy then a link with a 20 or so 7bit characters it would take 2^27 attempts to brute force and I guess that would take more time than the human race has left on earth so there fairly secure.

Heh (4, Funny)

hungrygrue (872970) | more than 9 years ago | (#13390730)

Well I'm glad someone is writing code to solve those "prove you aren't a script" images, because a lot of times I can't quite figure them out myself.

  • "Q. What is your favorite color?.. No on second thought, nevermind that. What is written in this blob?"
  • A. I'm not sure, is this a rorschach test? Oh, I know 4 - 3 - Two flies mating - U - V - Giant Nose - X."

This was made by the GNAA (1, Informative)

Anonymous Coward | more than 9 years ago | (#13390737)

I swear this is not a troll. It actually was.

Its bad idea for several reasons (4, Insightful)

bogie (31020) | more than 9 years ago | (#13390751)

Chiefly among them is sometimes you can't tell what the fucking words are. Within the last few months on more than one occasion I simply could not read the letters because they were so distorted and the lines overlapped the letters too much. No fun redoing a web form over and over because you can't figure out what the hell the verification box says.

I can't imagine how people with difficulties cope with this.

Re:Its bad idea for several reasons (2, Interesting)

0xABADC0DA (867955) | more than 9 years ago | (#13391100)

The sites with really good captcha's should run anti-captcha's... to filter out the *reallly* hard to read ones. =P

But there are still a lot of ways that haven't been used yet to make the image hard to read for the computer but less hard than the expreme distortions, such as overlapping letters and words. For example, if say only 25% of a word is covered up by another word on top of it, it should still be very easy for a normal person to read both words. Or use different colors and transparency. Or chain capchas together, for example one captcha that says "green" or "small" and another full of letters of various color/size/whatever. Then ask the user to enter the right code (ie, so they have to use reasoning instead of just pattern recognition).

Captcha a bad idea??? I disagree (1)

davidwr (791652) | more than 9 years ago | (#13390759)

While captchas have drawbacks, notably they require special handling for the vision-inpaired, they are useful.

In an era where every blog is a potential spam target, human verification systems are a requirement. Captchas are not the only way to do this, but they are a way.

Since the main story is heavily /.'d and Coral Cache [coralcdn.org] doesn't have it, here it is on mirrordot [mirrordot.org] .

A Necessary evil... (1)

nweaver (113078) | more than 9 years ago | (#13390763)

A: Captchas are a necessary evil. Without it, many services can be horribly, horribly abused.

B: ITs how lazy cryptographers do AI: The goal of a captcha is to get someone else to solve a hard vision/learning problem, and then you change the Captcha.

OCR wins (3, Funny)

marked23 (693822) | more than 9 years ago | (#13390780)

Once all these new algorithms get integrated into OCR software... OCR software might just work.

Interesting flash-based captcha (4, Interesting)

fahrvergnugen (228539) | more than 9 years ago | (#13390791)

I just saw a great flash-based Captcha designed to combat just this sort of attack. The test was composed of white text on a white background. Colored shapes of various sizes swirled in the background behind the text in a pseudo-random pattern, and the text was visible or obfuscated depending on whether there was a shape behind it at the moment. After watching it for a few minutes to see if there were any obvious flaws, I noticed that the entire phrase was never visible all at once.

A little patience was required, but I was able to verify in less than 10 seconds. Animation seems to be very useful for this kind of application.

Re:Interesting flash-based captcha (0)

Anonymous Coward | more than 9 years ago | (#13390828)

Do you know how Flash works?

Its just layers of images, vectors, and scripting to make it animate.

It would be harder but not at all impossible to crack this in the same way.

This stuff can be disassembled and the offending swirls removed and then re-rendered.

The fact that off the shelf software can crack what people thought would be difficult shows that not much research is going into this stuff.

Re:Interesting flash-based captcha (1)

GigsVT (208848) | more than 9 years ago | (#13390891)

So now not only do you descriminate against blind people, you prevent people without Flash from getting to whatever you are protecting.

I got a flawless algorithm to prevent bots from accessing resources... chmod 000.

At least then you don't tease people into thinking they might be able to use your site when in reality you lock out a good 1-2% of people for arbitrary and probably illegal reasons.

Re:Interesting flash-based captcha (5, Insightful)

JimmehAH (817552) | more than 9 years ago | (#13390935)

You could just write the bot to decompile the .swf file and grab the string (or vector/raster representation of the text) from that.

Flash is a bad format to use for a CAPTCHA from a security and accessibility point of view.

Re:Interesting flash-based captcha (1)

A beautiful mind (821714) | more than 9 years ago | (#13391035)

You beat me to replying...

This [flash based thing] is the easiest form of captcha to crack. I bet it would take just a few seconds looking around a flash extractor on CPAN [cpan.org] or something.

Defeating animated Captcha (1)

tjwhaynes (114792) | more than 9 years ago | (#13390955)

The test was composed of white text on a white background. Colored shapes of various sizes swirled in the background behind the text in a pseudo-random pattern

That is fairly easy to break if the text is stationary - simply keep taking pictures. Once you have enough (probably 10 seconds worth at 3fps) just stack all the images on top of each other and "add" them up. The moving parts will fade into the background and leave the text standing proud for some quick OCR.

Now if the text moved as well, it would be better. But you still have create problems for platforms without Flash and for any blind users. Flash for captcha doesn't sound that bright to me.

Cheers,
Toby Haynes

Yet another problem hashcash can solve (1)

tomstdenis (446163) | more than 9 years ago | (#13390852)

Hashcash doesn't care if you're blind and need special screen reading software.

It makes bulk spamming expensive as well. That may not apply to blog spamming as much but it's still a good way to slow them down.

Tom

Re:Yet another problem hashcash can solve (1)

ccoder (468480) | more than 9 years ago | (#13390976)

Hashcash values can be pre-computed as well as several other attacks... not very secure in the long run, but good for a stop-gap measure.  Since there is no exchange of information to make hashcash work, there is nothing from getting a spammer to pre-generate all the hashcash values and THEN send the spam in one fell swoop.

Try AuthImage for WordPress with a little tweaking (2, Interesting)

PeeAitchPee (712652) | more than 9 years ago | (#13390908)

Having to wade through 60+ spam comments a day on a WordPress blog (with all the stock antispam options enabled) just sucked . . . and the blog didn't even get much traffic (PageRank of 4). I installed the AuthImage plugin [gudlyf.com] and used it on its stock settings, and for awhile didn't get a single bit of spam. Then, magically, it started up again. It seems some industrious little script kiddies have written a crawler to massively bombard AuthImage-enabled blogs with words from the stock word list. I switched from the wordlist file to randomly-generated strings and increased the size of the image for readability, and I never had another piece of comment spam in that blog again.

As for blind folks, I suppose every webmaster has to make that decision based on their target demographic, but I've seen a few text-only captchas that work well enough ("What color is an orange?") but will inevitably have the same limitation as the AuthImage word list above.

Easiest way to Defeat Captchas (4, Interesting)

Bondolo (14225) | more than 9 years ago | (#13390917)

  1. Put up a "free" pr0n site.
  2. Require visitors to the pr0n site to process a captcha before viewing the pr0n. In reality they are proxy processing a captcha for another site (paypal, hotmail, yahoo, etc.) which they never see.
  3. Profit!

Captchas are next to useless and for the visually impaired very frustrating. One more of a example of a technology which annoys everyone and yet doesn't really stop the determined miscreant. <cough>airport shoe inspections</cough>

Captchas = Turing test (4, Insightful)

G4from128k (686170) | more than 9 years ago | (#13390928)

As with the Turing test, the entire purpose of a captcha is to distinguish humans from machines. As captcha-defeaters improve, the captchas will need to become more and more sophisticated and require more and more human or human-like intelligence to process. This arms race will culminate in a Turing test-like approach for discerning natural intelligences from artificial ones.

The ultimate irony may occur when the first human-intelligent computer is created by a spammer for the purpose of assaulting our collective intelligences with their commerical drivel. Given the increasing value of online commerce and Google page ranking, there's probably more money in AI for captchas than AI for academic research.

But before captchas get that sophisticated, the system will become self-defeating as the number of real humans defeated by captchas exceeds the number of AIs repelled by them.

Using Captcha for distributed processing (1)

greywire (78262) | more than 9 years ago | (#13390934)

Use captcha to encode math problems (IE, the captcha would have "sin(34) * 10" or whatever, and you have to type in the answer).

This way, not only does it take a little longer to analyze, but you get them to do a little bit of work for you. Force the spammers to be part of your little distributed processing system.

Of course the problems need to be simple enough for the users to figure out...

for the blind (0)

Anonymous Coward | more than 9 years ago | (#13390936)

would it really be so hard to make an audio version of it too ? .. play with the peaks add extra noise so its hard for computers to recognize? .. sure they COULD recognize the audio as easily as .. well hell i cant even read the slashdot one at the bottom of my screen here .. hmmm - page reload - nvm found one i can read :P

Commentary on w3's captcha-inaccessibility page (2, Informative)

davidwr (791652) | more than 9 years ago | (#13391000)

The main article refers to Inaccessibilyt of Visually-Oriented Anti-Robot Tests [w3.org] , which deserves a read and commentary.

Among the claims:
- captchas are inaccessbile to the blind - true
- a horde of human beings can decode the entire library over time - only true if the images are recycled, not if they are created on-demand or for one-time use.

It also discusses some of the side-effects of making access to real humans harder, or harder for a class of users such as the visually impaired. For example, I've seen sites that say "If you cannot read this, call this phone number for access." Too bad for you if you don't have a phone.

As alternatives, it offers
- logic puzzles
- sound output
- credit-card validation
- live operators
- limited-use of unverified accounts, such as throttling for email
- behavior and heuristic analysis
- already-established credentials, such as single-sign-on systems or public-key-based systems
- biometrics

The article briefly discusses the pros and cons of each.

I rate its conclusion

"Visual verification alone is known to create problems with users. It is imperative that site designers take the needs of users with disabilities into account, and it is likewise hoped that one or more of these potential solutions can make that process easier."

as: insightful +5 obvious -1.

The article as a whole gets an "informative +5."

Anyone read this notice on the top of the page? (0)

Anonymous Coward | more than 9 years ago | (#13391007)

"Many thanks to the VideoLAN project for hosting my page during the /. effect, to the GNAA for providing me with a massive amount of Captcha samples, and of course to every other contributor to this project."

Is this the same GNAA that trolls slashdot on a regular basis?

Re:Anyone read this notice on the top of the page? (0)

Anonymous Coward | more than 9 years ago | (#13391026)

It sure is - follow the link.

Re:Anyone read this notice on the top of the page? (0)

Anonymous Coward | more than 9 years ago | (#13391029)

yes it is the same GNAA that trolls slashdot, I think the author of that program is a GNAA member, probably used to flood slashdot.

GNAA? WTF? (1)

EiZei (848645) | more than 9 years ago | (#13391045)

There must be at least some irony found that an article that's creation was furthered by the infamous GNAA is posted on the front page..

This is a GNAA troll (0)

Anonymous Coward | more than 9 years ago | (#13391092)

Notice this is written by the same guy who coded LMOS (GNAA's Last Measure Operating System). Combine this with the fact that there is no proof-of-concept code available, it makes me think this is just another GNAA attempt to get Slashdotted. The page would probably redirect to goatse or Last Measure right now if the server wasn't slashdotted. YHBT by the GNAA.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?