Now Even Photo CAPTCHAs Have Been Cracked

MoonUnit writes "Technology Review has an interesting article about the way CAPTCHAS are fueling AI research. Following recent news about various textual CAPTCHAs being cracked, the article notes that a researcher at Palo Alto Research Center has now found a way crack photo-based CAPTCHAs too. Most approaches are based on statistical learning, however, so Luis von Ahn (one of the inventors of the CAPTCHA) says it is usually possible to make a CAPTCHA more difficult to break by making a few simple changes."

damn it

[ThorGod]

They're already hard to read. Why do I feel that soon I wont be able to read ANY of them!?

when...

[cosmocain]

...will we learn that, if there's a fundamental flaw in a protocol, there's no way we can prevent it from being abused. every measure will sooner or later have its counterpart and fail.

Re:I don't get it

[JeanBaptiste]

Asking simple math or site-relevant questions are not only easier for humans (I'm talking about "What's 5 - 3") to read, but they're harder for automated parsing by software to crack.

How do you figure that would be harder for automated parsing software to crack? I would think that would be many times easier than to ICR an image that is purposely obfuscated. (I used to work on ICR software and I'd rather write an automated-question-parser)...

Re:I don't get it

[blueg3]

You have to consider the source of the questions. If the questions are human-generated, it's not economically feasible. Remember that they can train their CAPTCHA-defeating software by paying large numbers of people to supply the answers to CAPTCHAs. Even a very large database could fall to that approach.

If the questions are machine-generated, then you're pitting a machine generating questions and answers against a machine designed to answer questions.

Re:Not a security feature

[Chris Mattern]

Of course CAPTCHAs are a security feature. Unless you have some irrational hatred of robots that inspires you to bar them from your websites, you're trying to keep them out for security reasons.

Reverse Turing Test?

[Anonymous Coward]

If humans cannot design a CAPTCHA that computers can't break, but it's trivial to design a CAPTCHA that's easy for computers but impossible for humans to do in the time limit (simple arithmetic with really big numbers), then surely computers are smarter than humans, right?

Re:Not a security feature

[Abstrackt]

CAPTCHA is not a security feature. It's a way to help avoid robots pretending to be humans. Anyone using it as a security feature is just giving more reasons for people to find ways to break them. All in all, it's time to get rid of CAPTCHA and move on to some more logical system that would be more difficult, such as a system where users are asked to answer a simple question that contains the answer, such as: If you were born in 1973 and JFK was shot in 1961, were you alive when he was shot? How many liters of water fit into a five-liter bottle?

It sounds like a great idea, but I've met plenty of people who wouldn't be able to answer either of your questions. To steal a random quote from the internet:

"Back in the 1980s, Yosemite National Park was having a serious problem with bears: They would wander into campgrounds and break into the garbage bins. This put both bears and people at risk. So the Park Service started installing armored garbage cans that were tricky to open -- you had to swing a latch, align two bits of handle, that sort of thing. But it turns out it's actually quite tricky to get the design of these cans just right. Make it too complex and people can't get them open to put away their garbage in the first place. Said one park ranger, "There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists."

Re:Not a security feature

[camperdave]

How many liters of water fit into a five-liter bottle?

Hmm... That depends. How much water is in the five liter bottle to start with?
Is there anything else in the bottle?
Does it have to be a whole number of litres?

Assuming an empty bottle, and integral numbers of litres, the following can fit: 0, 1, 2, 3, 4, and 5.

Re:How about

[pla]

Instead of asking someone to type in the letters, numbers or how many cats there are in the photo, just randomly generate some scenario:

That would work wonderfully, if you could truly randomize it (by which I don't mean anything so stringent as neutron sources or the like), rather than using a library of question templates.

The problem, though, you need a better quality of AI to generate arbitrary easy-but-obscure questions as you do to solve them... Keep in mind you need questions that anyone with a 3rd-grade education could read and solve, which limits you to simple grammar, small words, concrete ideas, and no math harder than addition, subtraction, and inequality. Modern AI can already parse and solve those problems fairly well.

So, you end up using a library of question templates, and once an attacker has seen enough of them, he can reliably fill in the blanks and arrive at a deterministic answer, no massive CPU power or cool AI required.

Re:Not a security feature

[spyrral]

How many of these questions would you have? Suppose you spent the time to make 1000 or 10,000. The attacker would simply have them solved by a group of humans (say using Amazon's Mechanical Turk) and put the question/answer pairs into a dictionary for automated attacks.

Re:How about

[Hatta]

Keep in mind you need questions that anyone with a 3rd-grade education could read and solve

Why? Personally, I'd prefer to participate in forums that require a college level education to participate in.

Re:How about

[sunking2]

Oh please, a parser from a 1985 adventure game could figure this out :). You have a few nouns and a few verbs and adjectives. How many questions could you possibly ask from the first sentence? probably less than a dozen. At worst you have like a 1:6 or so chance of picking the right noun to try. If asked to do it this is probably one of the simpler things to accomplish. Creating a parser that can read at a 2nd grade level isn't all that hard.

Re:damn it

[D'Sphitz]

Try being colorblind sometime. I've had several that I had to take a screenshot of, paste into photoshop and play with the contrast until i could read it. And even the ones without problem colors like red and green usually take several tries.

Re:Not a security feature

[Tablizer]

[bear-proof trashcan] Said one park ranger, "There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists."

To be fair, the bears have more time to figure out the can. A tourist will just toss the trash on the ground if it takes more than a minute to open the can. The bear, on the other hand, may spend hours if it smells something good.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Not a security feature

[Anonymous Coward]

If you have three apples and you take one apple away, how many apples do you have?

Correct answer: 1 (The apple you have. The one you took away and therefore 'have')

Correct answer: 2 (The remaining apples viewing the operation as a mathematical subtraction - expected answer from a child)

Correct answer: 3 (You have three apples. Movement does not imply a change of ownership)

Correct answer: 4 (More tenuous, but no assumption should be made that 'one apple' came from the initial set of 'three apples')

Re:I don't get it

[TorKlingberg]

Works for your personal site, not for Yahoo.

Re:Not a security feature

[Free the Cowards]

In the computer world, I always consider "security" to be a matter of allowing authorized people in and keeping unauthorized people out. CAPTCHAs are more a case of determining whether a particular user is desirable or not, not a case of authorization.

use humans to check for humans

[markjhood2003]

Seems the spammers are hiring boat loads of people to train their CAPTCHA-breaking software. Google and the like could do the same and hire call centers to screen applications for an email account. You want a gmail account, call a 1-800 number that connects you to some vast call center in India.